WinGate Forums

[BobbyO]

Hi Guys -

Long time Wingate administrator here. Had Wingate 5 and 6 deployed in an NT domain environment for many years. Office then upgraded to a Windows 2008 Server Active Directory Environment including DNS. Wanted to simplify the network so I have been running RRAS/NAT on a separate Windows Server 2003 for outbound internet access instead of Wingate. Too slow. So I want to return to using Wingate for outbound internet and NAT. So I've installed it on another Windows Server 2003. So far so good. But I'm getting what looks like a DNS loop that shows up in both the Activity tab and the History tab in Gatekeeper. Something like "DNS Lookup for A ....." and a URL. Over and over again. Fills up the whole Activity tab and the history tab. Gatekeeper then locks up or crashes so I then have to "Stop Wingate Engine" in the system tray. The Active Directory/PDC server is running DNS. So I went into Advanced Settings to disallow lookups to the IP address of the AD server. So I should specify each client's DNS as the IP of the AD server and not the Wingate Server? And setting up that whole Forwarder thing in AD - is that necessary? I don't really need to sychronize the AD database with Wingate users do I? Why can't I just run Wingate in the "guest" account, as I've been doing?

Anyway, suffice it to say that I need some guidance in getting Wingate 6 to work again. But this time in an AD environment with DNS running on the AD server. Any help would be much appreciated. Also need some information on pricing for an upgrade of a 25-user Wingate 6 license to Wingate 7. Do you have a name/email of somebody in your Sales group that I can talk to about that?

Good to be back in the Wingate fold. Many thanks.

[adrien]

Hi and welcome back.

With WinGate 6, in an AD, DNS looping was an issue if the AD DNS server forwarded requests back to WinGate. This was resolved using the WinGate Advanced Options applet (which you should see under the start menu in programs > WinGate > WinGate Advanced Options). What you need to do is add the IP of the AD DNS server in the DNS tab. This prevents WinGate's DNS client from using that server, which breaks the loop. Sounds like you already did this?

This problem doesn't occur in WinGate 7, since WinGate 7's DNS client does probing of the discovered DNS servers to detect loops, and alters how it will use a server accordingly.

Since WinGate 6 therefore won't use the AD DNS server, then domain computers need to be configured to use the AD DNS server rather than WinGate, or they won't be on the domain. WinGate 7 also resolves this, since it will forward DNS queries for the domain to the AD DNS server.

Forwarders setup in the AD DNS server would be necessary if the client machines are using it. It's much more performant than the clients using 2 DNS servers and failing over when they don't get a response from the primary. If the AD DNS server is not configured to use forwarders, it will probably just recursively look up from the root hints servers, which is really slow.

WinGate 6 doesn't do a great job of using user accounts in the AD either. We wrote a specific AD connector for this in WinGate 7, which

a) doesn't require synching the AD objects to WinGate
b) doesn't require running WinGate in any special service account (just LocalSystem which is default).
c) has been tested up to 2.5M user accounts

Depending on when your WinGate 6 license was purchased, or when it last had version protection active (e.g. if it was ever renewed etc), it may actually be eligible to be used in WinGate 7. The cut-off date is 1 Jan 2011, so any license that had valid version protection at that date is eligible to be used in WinGate 7.

You can send an email to sales@wingate.com if you're interested in checking if your license is eligible, or checking pricing.

Regards

Adrien de Croy

[BobbyO]

Hi Adrien -

Thanks for all the information. Much appreciated.

So I've decided to deploy Wingate 7 instead of having to deal with all the AD issues in 6. I've downloaded the 30-day trial, have it installed on a Windows Server 2003. So naturally, some questions.

1. fyi - AD is installed on a separate Windows 2008 Server and is running DNS.

2. What should be the settings for the internal network card on the Wingate server? Specifically, the default gateway address, the DNS server address, and WINS address?

3. What should be the settings for the clients that want to connect to the web via Wingate? Specifically, the default gateway address, the DNS server address, and WINS address?

4. Do I need to make any changes to the DNS on the AD server?

5. The trial version does not support the connector to AD, correct? Any issue just connecting each client to Wingate without any other user configuration tasks?

6. We're not using any internal email - we use Office 365. Should I disable the SMTP/Email service in Wingate? If so, how do I do that?

7. Any other issues or configuration tasks that you think are important?

Thanks again for all your help.

[adrien]

Hi Adrien -

Thanks for all the information. Much appreciated.

So I've decided to deploy Wingate 7 instead of having to deal with all the AD issues in 6. I've downloaded the 30-day trial, have it installed on a Windows Server 2003. So naturally, some questions.

1. fyi - AD is installed on a separate Windows 2008 Server and is running DNS.

ok

2. What should be the settings for the internal network card on the Wingate server? Specifically, the default gateway address, the DNS server address, and WINS address?

for the WinGate computer to be on the domain (required), it needs to use the AD DNS server for DNS.
Default gateway on internal adapters should be empty normally. Default gateway must ONLY be used to tell the OS the path to the internet. So if you point it to an internal router, it normally breaks internet connectivity.
WINS is redundant / defunct on AD, so normally isn''t even specified any more. Since windows 2000, it's been replaced by DNS.

3. What should be the settings for the clients that want to connect to the web via Wingate? Specifically, the default gateway address, the DNS server address, and WINS address?

Clients would normally use WinGate server IP for default gateway, and you have a choice for DNS, either WinGate or the AD DNS server.

If you choose WinGate, then if you shut WinGate down, the AD stops working for your clients. So I normally recommend pointing clients to the AD DNS server for DNS, but it means you do need to set up forwarders (really simple) in the AD DNS server.

4. Do I need to make any changes to the DNS on the AD server?

Forwarders as above. In the DNS server properties, on the forwarders tab, add the IP of the WinGate computer.
In the LAN card on the AD Server, the DNS settings should point to 127.0.0.1 (itself)

5. The trial version does not support the connector to AD, correct? Any issue just connecting each client to Wingate without any other user configuration tasks?

Actually trial does support all features and functions, it's purely time-limited. If you choose to test a license level lower than Pro you won't have it.

6. We're not using any internal email - we use Office 365. Should I disable the SMTP/Email service in Wingate? If so, how do I do that?

You can delete all the services except the SMTP delivery service (which is used to deliver notification / alert emails). You couldn't delete these in WinGate 6.

7. Any other issues or configuration tasks that you think are important?

Thanks again for all your help.

Regards

Adrien de Croy

[BobbyO]

All good. Will give it a shot and see what happens. Again, much appreciate your help Adrien and continued success with a great product.