WinGate Forums

[ankit.soni.k]

Hello Experts,

Please excuse me incase of any errors, I have never worked on Wingate Server.

Hence i require your help in below situation.

Wingate Server is installed on one of the server box dedicate to it. Now my questions are as follows.

1. Does Wingate work in Domain Enviorment? If yes than how is the authenication method?
2. If i want to restrict only a particular user from accessing a praticular website, Is it possible then how?
3. If i want to restrict all user from accessing a praticular website, Is it possible then how?
4. Can i allow only one user to access gmail.com and block the same for the reset of the users, If yes than how?

Any help/ commets would be highl;y appreciated.

[Alen]

1. Does Wingate work in Domain Enviorment? If yes than how is the authenication method?

What could be the method in case of Windows domain integration? NTLM or Kerberos.
AFAIK, Wingate just sends user credentials to DC for authentication.

2. If i want to restrict only a particular user from accessing a praticular website, Is it possible then how?
3. If i want to restrict all user from accessing a praticular website, Is it possible then how?
4. Can i allow only one user to access gmail.com and block the same for the reset of the users, If yes than how?

First of all you have to mention connection method: Proxy vs NAT vs WGIC.
Second, you can grant permissions or make restrictions for separate user or group of users using service Policy. Just remember, if user is restricted the right in one group, but allowed in another - the effective is allowed.

If you want step by step guide look at the manual.

P.S.

Hello Experts,

I am not an expert, just read the manual. So RTFM. ;-)

[adrien]

Hi Anik

WinGate uses the underlying OS to authenticate, even in a domain environment. To do this, you need to choose the Windows user database in WinGate.

It is possible to do the restrictions you state.

Note that each policy you edit grants rights, and a right will be granted to a user if any policy matches. (we call them recipients, since they are the grant of a right to a user / group).

So, if you have a site (say example.com) you want 1 user (say Bob) to access and nobody else, you would have 2 recipients.

1. Everybody, ban site example.com
2. Bob, no restrictions.

This means everyone can view everything except example.com, and in addition to that, Bob can view anything.

blocking a single user from a site is a bit more tricky, since you effectively need to grant access to the site to everyone except that user. You could do this with groups, if you had a group that contained everyone except that user (say called EveryoneExceptBob) you'd have something like

1 Everyone, ban site example.com
2 EveryoneExceptBob no restrictions

Then since Bob is a member of everyone, but not a member of EveryoneExceptBob, then he'll have access only to everywhere except example.com, whereas everyone else will have unrestricted access.

If you can't do a group, you can exclude a user in policy as well. e.g.

1. Everyone: ban site example.com
2. Everyone: advanced: Not username = bob

Hope this helps.

[ankit.soni.k]

Hi Alen / Adrien,

Appreciate the help and support extended by you guys!!!

I just wanted to know if the condition are as follows than how should i implement this on my wingate server..

1. Everyone can access all website's except gmail.com, mail.yahoo.com
2. Group of user have access to all website including gmail.com, mail.yahoo.com

I have a domain enviroment, I have created two NT Groups on my Wingate Server (not domain) named "Full Access" & "Limited Access" and added the list of the user accordingly.

Adrien,

As per your advise i have tried the following configuration but "Everybody" can still access "ban site".

[Alen]

What do you have in the proxies Policies tab Default riights option? May be it set to "may be used instead" and they get access according your system policy?

[ankit.soni.k]

Hi Alen,

Thanks for your reply.. I have managed to understand the Wingate 99% all thanks to you guys.

Now i am stuck in one error which is quiet irritating.

In my Systems Policies, if i configure the below settings, Than i am able to Telnet my Wingate server on Port 80 and access the internet without any issues..

Everyone = Unrestricted rights

Keeping the above setting od Systems Policies intact, Now i try to configure my WWW Proxy Service, And as soon as i change the "Policies" tab, And set the access to "Default Rights (system Policies) = (are ignored). Than i am not able to Telnet the Wingate server on Port 80 nor am i able to access internet below are the error message

Telnet Error
==========================
HTTP/1.0 403 Access Denied
Pragma: no-cache
Content-type: text/html

<HTML><HEAD><TITLE>Access Denied</TITLE></HEAD>
<BODY><H1>Access Denied</H1><P><P>File not found or access denied
</BODY></HTML>


Connection to host lost.
==========================

Internet Explorer Error
========================

The page cannot be displayed
========================

Note: i am using Windows Domain Authentication, i have created groups to assign the rights to access/ block the internet websites/ services, This server is also having Primary Domain Controller role, does that makes a diffrence???

Any help/ support would be really appreciated.

[jasona]

Do you have any policies on the WWW Proxy? When you change that option to "are ignored" then clients will no longer have access to the WWW Proxy unless there is a specific policy allowing them access.

[Alen]

When you change that option to "are ignored" then clients will no longer have access to the WWW Proxy unless there is a specific policy allowing them access.

I think you are wrong. If in a user service we set "Default Rights (system Policies) = are ignored" it means user will get access nevertheless of the System policy.

[ankit.soni.k]

Hi Alen,

Thats what the User Manual says, But i am not sure how do i still get the error message.

I have created a policy to allow a Group of user to access WWW Proxy Service but they are still getting the Access Denied Error on Telenet to Wingate Server.

I am still searching for a solution for this.. :-(

[Alen]

ankit.soni.k,
Let's clarify: you set up www proxy on port 80, you give Everyone a right for "User can access services" in the System Policy and "User can access this service" in the proxy Policy.
And when in the proxy Policy you have the option set to "may be used instead" it works, and when you change it to "are ignored" it doesn't?

If yes, IMHO a very strange thing is happening. May be you disable Wingate Guest user? (You should not, just don't grant him any rights).

[adrien]

When you change that option to "are ignored" then clients will no longer have access to the WWW Proxy unless there is a specific policy allowing them access.

I think you are wrong. If in a user service we set "Default Rights (system Policies) = are ignored" it means user will get access nevertheless of the System policy.

Jason is right. If you select "are ignored" then the system rights are not considered in the evaluation of rights. Therefore if there is no right specified in the proxy itself which grants access, then access will not be granted.

[Alen]

Jason is right. If you select "are ignored" then the system rights are not considered in the evaluation of rights. Therefore if there is no right specified in the proxy itself which grants access, then access will not be granted.

Now I see he was right too. Sorry.
In fact I meant the same, just didn't say it as I had to:

If in a user service we set "Default Rights (system Policies) = are ignored" it means user will get (or not) access nevertheless of the System policy.

You can see it from my last post (where I claimed, that if you set "User can access this service" in the proxy Policy and "Default Rights (system Policies) = are ignored the user should get the access.)

[ankit.soni.k]

Hi Alen/ Jason/ Adrien


Really appreciate your help and support extended.

Alen, Below is the procedure i follow for configuring the Policies.

1. Systems Policies TAB [Everyone= Unresrticted Rights]

2. WWW Proxy Server --> Policies TAB
a) Right [Users can access this service]
c) is granted to [Full_Internet_Access - This is a Windows NT Group which contains the list of the user's Windows NT Login ID]
b) Default Rights (Systems Policies) [Are ignored]

I hope I have configured it correctly..

Issue still remains the same .. :-(

[Alen]

ankit.soni.k
I think you have problems with users group. I don't know definitely what problems. But.
Try all the same you tried, just use in the Proxy Policy "Everyone" user group, instead of your Full_Internet_Access.

If this works, then find out what is wrong with your Full_Internet_Access group.