Table of Contents

1
Welcome to WinGate by Qbik 19
Getting Started 20
What's New? 21
Features Added in WinGate 4.3 22
Features Added in WinGate 4.2 23
Features Added in WinGate 4.1 24
Features Added in WinGate 4 26
What Is WinGate? 27
WinGate Features 28
Comparison of Home, Standard & Pro 34
Common Terms 36
What Do I Need To Run WinGate? 38
Introduction To GateKeeper 39
GateKeeper Offline 41
GateKeeper Logon 43
GateKeeper Online 44
Actions in the Activity Screen 47
GateKeeper History Screen 49
Advanced GateKeeper Options 51
System Tab52
Services Tab 53
Users Screen 54
Configuration Pane 55
GateKeeper File Menu 57
GateKeeper View Menu 58
GateKeeper Options Menu 59
GateKeeper Help Menu 59

2
History Column Picker 60
Troubleshooting 61
Confirmation Options 62
User Authentication with WinGate 62
WinGate Services 67
Adding Services 68
Integrating WinGate with other Servers 69
General Tab 70
Bindings Tab 71
Interfaces Tab 73
Sessions Tab 75
Policies Tab 76
Non-Proxy-Request Tab 77
Connection Tab 77
Logging Tab 79
Change Password 80
Logon and Online Options 80
System Info - General Tab 81
System Info - Bindings Tab 82
WinGate Engine Monitor 83
Network Interface Setup 84
AutoSave for GateKeeper Changes 85
Scheduler 86
Scheduler logging 87
Add Event 88
Events 89
Scheduler Actions 90

3
Roll Over Audit/Logs 91
Export User Accounts 92
Reset All User Accounts 93
Execute Command Line 94
Remove Event 94
Do Now 94
Scheduled Events 94
Move Action Up 94
Move Action Down 94
Occurrence 94
Description 94
Remove Action 95
Generic Discovery Protocol - GDP 95
Winsock Redirector Service 96
WWW Proxy Server 97
Reject Request 99
Pipe Request to Predetermined Server 99
Redirect Client to Predetermined Location 100
Using the Web Server 100
Permit directory browsing 102
Server root directory and filename 103
Enable CGI interface 103
SOCKS5 server 104
SOCKS Advanced tab 105
FTP Proxy 106
Telnet Proxy 108
Real Audio Proxy 110

4
POP3 Proxy 111
Advanced POP3 Usage 112
VDOLive Proxy 113
Xing Streamworks Proxy 114
Mapping Services - Mapped links 115
Mapped Link Advanced Features 117
DNS Server 120
Remote Control Service 122
Adding a WWW Proxy Server 123
Adding a SOCKS 5 Server 124
Adding a POP3 Service 124
Adding a Telnet Proxy 125
Adding a FTP Proxy 125
Disabling the WinGate DNS Server 126
Adding a Mapped Link 127
Adding Specific Mappings 128
Adding a Real Audio Proxy 130
InterQuick Plug-in Integration 131
SMTP Proxy Service 132
SMTP Proxy Setup 134
Configuring the SMTP Proxy for Local SMTP Servers 134
Configuring the SMTP Proxy for Remote SMTP Servers 136
What Is Email Spamming? 137
WinGate Spam Protection 138
Using Email Aliases 139
How SMTP Works 142
Add/Remove/Edit Alias 143

5
Limit Message Size 143
Limit Number of Recipients 143
Outbound Mail Options 144
Inbound Mail Options 144
Bindings Tab 144
Sessions Tab 144
Interfaces Tab 144
Policies Tab 144
Logging Tab 145
Non-Proxy Tab 145
Java Check Box 145
Information 145
WinGate FAQ 145
WinGate Tested Software 146
Licensing in WinGate 147
Contact Information 149
About Qbik New Zealand Limited 150
How To Use WinGate Help 151
How To Use WinGate Help 152
Year 2000 Compliant 152
Feature Unavailable with this License 153
DHCP 153
Changing to DHCP 156
DHCP Information 157
Starting DHCP 158
Stopping DHCP 159
Disabling WinGate DHCP 159

6
DHCP General tab 160
DHCP Bindings tab 161
DHCP Configuration 161
DHCP Settings 163
Adding a Scope 164
Changing Scope Properties 164
Removing a Scope 166
Managing Client Reservations 167
Adding a Client Reservation 167
Assigning DHCP Configuration Options 168
Releasing and Renewing a DHCP Lease 170
DHCP Configurable Options 171
Appendix 176
Port Assignments 177
TCP/IP and Network Topics 183
Using Proxy Auto Configuration 183
Ports 185
DNS Options 187
Why do I need DNS? 188
Multi segment LANs 191
Routing 191
TCP UDP and IP 197
Encryption 200
Logic and Caching 201
Glossary 203
Advanced WinGate Configuration 215
Hosts Files 222

7
Secure Inter- Office Communications 223
Dialing in WinGate 230
Dialer General Tab 230
Dialer Local Sites Tab 232
Dialer Settings Tab 233
Dialer Profile Configuration 234
Multi-Language Support 236
WinSock 2 Not Installed 236
Client or Server 237
Welcome to WinGate 237
License Info 237
License Selector 238
Express or Custom Setup 239
Services 239
Selecting Installation Directory 239
Select Program Manager Group 240
Install the WinGate NAT Service 240
Main/Basic Services 240
Email options in the installer 241
News IRC IMAP4 Settings 242
WWW Cache Settings 242
The Log file viewer 242
Start Installation 243
Backup Replaced Files 243
Known Issues in NT Release 244
Known Issues in 95/98 Release 245
WinGate Lite License 246

8
User Database Integration with NT & 2000 247
Download WinGate Plugins 247
Advanced WWW Settings 248
Advanced FTP Settings 249
Advanced Email Settings 249
Installation Overview 250
STEP 1: Setting Up A Working Network 251
STEP 2: Setting up the Wingate server 251
STEP 3: Installing or upgrading WinGate 252
Service Pack Requirements 253
Direct Connection to the Internet 253
Installing TCP/IP on the WinGate server 253
Configuring TCP/IP for the WinGate server 254
Installing WinSock 2 256
Clean Install of WinGate 256
Upgrading to WinGate 257
STEP 4: Setting up the Client computers 260
Installing TCP/IP on the Client computers 261
Configuring TCP/IP on the Client computers 262
Use WinGate DHCP server to configure clients 262
Use another DHCP server to configure your clients 264
Do not use DHCP to configure clients 264
Configuring clients to use proxies 266
Configuring Clients To Use ENS (NAT) 266
Changes made by WinGate Installation 267
Test TCP/IP 267
Release/Renew TCP/IP configurations 269

9
Uninstalling WinGate 270
Installing the WinGate Internet Client 270
System Messages 272
System Message Options 273
System Message Index 274
No Valid Interfaces Available for Service 276
Binding Specified Invalid 277
No Interface Specified for Binding 277
Binding No Longer Available 278
Invalid Binding For Service 278
Connectoid Deleted 279
WinGate Pro License Key Does Not Exist 279
Administrator / User Account Not Found 280
Administrator / User Group Not Found 280
Remote Control Service Does Not Exist 281
Invalid License 281
Invalid WinGate 2 License 282
Migrating Settings From WinGate 2 282
Default WinGate Configuration Used 282
WinGate Failed To Initialize SNMP 283
WinGate Dialer Restarted 283
WinGate Failed to Initialize ICMP 283
No Private IP Interfaces Bound to Service 284
Non-Private IP Allocation Denied 284
Client Denied Access to WinGate DHCP 285
WinGate DHCP Can Not Offer Client IP Address 286
Complete or Partial Service Failure On Startup 286

10
User Request Failed WinGate Authentication 286
Incorrect Version of NAT Driver 287
Must Set Administrator Password for Remote Access 287
ENS Driver Refused to Load 287
ENS Driver Failed to Load 288
ENS Driver Running out of Memory 288
WinGate Extended Network Support 289
Extended Network Support - Routing 291
Extended Network Support - Firewall 293
Extended Network Support - Port Security 294
Port Range Configuration 297
What is a Firewall? 298
Online Security Threats 299
Trojan Horse Story 299
Connections from (Interface) 300
TCP 300
UDP 300
Port 300
Relay UDP broadcast packets 301
Enable support for multiple default routes 301
Port Cloaking 301
Disable network name broadcasts to the Internet 301
Allow users to ping this computer from the local network 302
Allow users to ping this computer from the Internet 302
Discard spoofed packets 302
Port Range Specification 302
Action 302

11
Notify When This Range Is Accessed 303
Firewall Modes 303
Enable/Disable General Purpose Internet Sharing 303
Enable/Disable Routing Between Multiple-Subnetworks 303
Enable/Disable Extended Network Driver 304
History Plug-In Components 304
History Plug-In: Traditional WinGate Logging 305
Maximum Database Size 311
User Properties Control 311
HTTPS 312
Cache Size 312
Purge When Full 313
Enable Cache Lookups 313
Enable Additions to Cache 313
Rechecking HTML 313
Rechecking Other Files 313
Rebuild Index File 313
Purge Now 313
Cache Everything 313
Specify What To Cache 313
Add Cache Filter 313
Add Cache Criterion 314
Add Purge Filter 314
Add Purge Criterion 314
Delete 314
Apply - Cancel - OK 314
Accept Connections on Port 315

12
Bind To Specific Interface 315
Service Must Start 315
Service Name and Description 315
Back and Forward 315
Timeouts 315
Policy Recipients 315
Add a Recipient 315
Remove a Recipient 315
Redirect Client 315
Serve From Local Disk 316
Perform Reverse Name Lookups 316
Use RFC1929 Authentication 316
Refer HTTP Requests 316
Allow Caching of Referred HTTP 316
Use SOCKS Policies? 316
Server Details 316
Specific Policy 316
Default Rights 316
Purge Qbik Web Pages 317
Purge Unused Files 317
Purge Zero Length Files 317
Purge Files Not Recently Used 317
Purge Large Files 317
Spamming 317
Interface 317
DUN 317
Allow Connections on All Interfaces 317

13
Specify Interface 318
Specify DHCP Interface 318
Specify Interfaces 318
Bound Interfaces 318
Available Interfaces 318
Start Even If Address Is In Use 318
Help 318
Shutdown WinGate Engine 318
Save Changes 318
Tool Bar 318
Status Bar 318
Always on Top 319
About Gatekeeper 319
Current Computer Session 319
Authenticated WinGate User 319
Remote Control Session 319
WRP Control Sessions 319
TCP Session 319
HTTP Sessions 319
Guest WinGate User 319
Assumed WinGate User 319
MITCH\ben Computer Session 320
System Services 320
User Services 320
Account Enabled 320
User Cannot Change Password 320
User Must Change Password 320

14
User Details 320
Currently a Member Of 320
Not a Member Of 320
Enable History Logging 320
Maximum History Size 321
Maximum Days 321
Clear History 321
Display This Data 321
Reset Accounting Totals 321
Time 321
Computer 321
Username 321
WG User Name 321
Activity 321
Session Duration 321
Bytes In 321
Bytes Out 321
History Not Available 322
Register 322
SOCKS Session 322
Computer Session 322
Exit 322
Text Labels 322
Only Load the Last 322
Online Computer 322
Help Topics 322
DNS Lookup 322

15
HTTP POST322
Application Name 323
Check Version 323
General Purpose Internet Sharing (NAT-based) Session 323
Startup Options for WinGate Services 323
Clear History 323
Save History 323
GateKeeper AutoSave 324
IP Number 324
Cache Management 324
What to Cache 325
What to Purge 327
Security Concepts in WinGate 329
Managing Users and Groups with WinGate 330
Adding a User 332
Groups 334
User Assumptions 335
User Info Tab 337
Groups Tab337
User Accounting 338
Auditing and Logging 340
Viewing Log and Audit Files 343
WinGate Policies and Rights 344
Basic Rule Structure 346
Assigning Rights 348
Recipient Tab 348
Location Tab 349

16
Time Tab 351
Ban List Tab 352
Advanced Tab 353
Rules Examples 357
Securing your Network 359
User Database Options 362
Managing WinGate Users & Groups with NT 364
Authentication Methods for WinGate Services 366
Importing & Exporting WinGate Users 368
Importing Users & Groups from Windows 369
Importing Users From A Text File 370
User Export Wizard 372
Export Options 374
Export File Type 374
Export to Text File 374
Merge Members 374
Template / Members Field 374
Password Field 374
Open / Delete Buttons 374
NT Database Options 375
User Authentication 375
Extended Network Support 375
Why Use WinGate NAT Connectivity? 376
Comparing NAT, WGIC and Proxy Methods 377
Integrating NAT with WGIC and WinGate Proxies 378
Recommended Network Configurations 381
How NAT Works 382

17
WinGate Home 384
What's New in WinGate Home? 385
What is WinGate Home? 385
Home GateKeeper 386
History in WinGate Home 388
File Menu in WinGate Home 388
View Menu in WinGate Home 389
Options Menu in WinGate Home 390
Help Menu in WinGate Home 390
Dialer in WinGate Home 391
Advanced Options in WinGate Home 391
Network Extensions for WinGate Home 392
Help for WinGate Home 393
Proxies 394
Integrating WinGate Proxies with Other Servers 395
Integrating WinGate with a Web Server 397
Integrating WinGate with an Email Server 397
Integrating WinGate with a FTP Server 398
Winsock Redirection Protocol Service 399
WRP Application Modes 401
WRP Compatibility 401
Notes for Winsock Application Developers 402
WRP FAQ 403

18
Welcome to WinGate by Qbik

Thank you for choosing WinGate™ by Qbik New Zealand Ltd. for your
Internet sharing needs. WinGate includes many features that make
Internet sharing easier and cheaper, while saving you time and money.

At the same time WinGate provides the highest level of security and
flexibility using the GateKeeper interface which gives a "live" view of
activity on your LAN. To get a better overview of WinGate and what it
can do click here!
WinGate is fully Y2K
COMPLIANT

WinGate – The Internet Sharing and Firewall Solution for Windows

WinGate is run on a single computer and provides multiple computers on the same network with full
access to the Internet. It does this by allowing them all to share a single Internet connection
simultaneously. WinGate provides three methods for sharing a connection to the Internet (Proxies,
WinGate Internet Client, NAT-based General Purpose Internet Sharing) enabling you to customize
WinGate to meet the demands of your network users.

Extended Network Support (a free plug-in component for WinGate 4 and later) allows users to share
an Internet connection amongst computers running virtually any application on virtually any platform.
You can download this plug-in from http://wingate.com/plugin.

InterQuick (IQ)™ (a free plug-in component for WinGate 4 and later) can provide faster access and
more control to web content for WinGate Internet users. It provides IQfetch™ and IQschedule™ for
web acceleration and IQfilter™ and IQblock™ for filtering content. You can download this plug-in from
http://wingate.com/plugin.

Where Do I Start Learning All About WinGate?

• If you are new to WinGate read the Getting Started topic

• For an overview of the new features in this WinGate release check out What’s New
• The "WinGate ReadMe" (a collection of HTML pages with useful WinGate information and links)
can be accessed from the Start Menu under the WinGate program group (WinGate Info link).

19
 This help system is designed to support users of all WinGate
versions. If you are using WinGate HOME then click here for
help written specifically for you, the home user.

Home, Standard or Pro: Which WinGate License Is Best For Me?

HOM STANDAR PRO

E D

There are THREE licenses for WinGate. The features that are visible when you run WinGate will
depend on the license key that you have purchased (the same installer file is shipped for all three
versions). Click here to view an Overview Comparison of the features in each version. This will help
you pick the best version of WinGate to satisfy your Internet sharing requirements.

WinGate™ © 1995-2000 by Qbik New Zealand Limited, All Rights Reserved.

Click here to learn more about Qbik and what we do.

Getting Started

20
 Welcome to WinGate! WinGate enables you to connect your entire local network to the Internet with a
single modem. WinGate has been further developed to simplify some of the more complex tasks,
however depending on where you are starting at, you may have a few things to setup before all of your
computers can share the same connection to the Internet.

Go There! First you need to read about configuring your network and installing WinGate.
This is easy, and if you follow the Installation Guide carefully, you will get it right
first time.

Go There! Check out the ‘What is WinGate?’ section. This tells you what WinGate does and
how it works.

Once WinGate is setup and working properly you will want to learn about the
following WinGate components:

• WinGate Engine Monitor. (runs in the system tray and allows you stop/start
the WinGate Engine and launch GateKeeper)
• GateKeeper. GateKeeper is the interface through which you control and
configure the WinGate Engine. You will use GateKeeper to add users and
groups, policies, access restrictions and everything else you may want to
configure with WinGate.

What's New?

This topic provides links to information about the new features added in each WinGate release (Standard
& Pro versions). Click the link below for information on new features in WinGate Home.

WinGate 4.3

WinGate 4.2

WinGate 4.1

21
 WinGate 4 with ENS Plug-in

Bug-Fixes & Minor Enhancements

A range of bug fixes and minor enhancements have been addressed in this WinGate release. You are
encouraged to browse these changes and updates by selecting the "WinGate Info" link from the Start
Menu in the WinGate program group.

To Learn More About :

• New features for WinGate Home (click here)
• License or version upgrade information (click here)

Features Added in WinGate 4.3

The following features listed are a result of a major re-engineering project to install a new more reliable
ENS replacing its predecessor for the release of WinGate 4.3.

The New More Reliable ENS

• The 4.3.0 ENS does not install additional interfaces in the network properties on the WinGate
server, thus is far less likely to conflict with Virtual Adapters and VPN's.
• 4.3.0 ENS Engine has no known hardware incompatibilities with it. While the 4.2 (and earlier)
NAT engine would not work with some brands of network cards, the 4.3.0 ENS engine has no
such issues known.
• Supports all current Operating Systems and service packs. The 4.2 (and earlier) ENS will only
work on Win 9X and NT4, SP 4 or 5 systems. The 4.3.0 ENS engine supports Win 2K as well as
all 9X and NT4 SP4 or later platforms.
• The 4.3.0 ENS Engine dynamically binds to network adapters so you can safely modify your
TCP/IP network configurations without having to manually reconfigure WinGate's ENS service.
(i.e. uninstall and reinstall ENS every time you modify your TCP/IP settings on the WinGate
server.)
• VPN - Point to Point Tunneling Protocol (PPTP) support. NOTE: VPN support with WinGate 4.3
Beta A is limited to PPTP out only and IPSEC is not supported. This means that a client to a
WinGate server has the ability to connect to an external VPN server using Microsoft's VPN,
however WinGate clients cannot host a VPN server.

22
Features Added in WinGate 4.2

The following features were added with the release of WinGate 4.2.

Bug-Fixes & Minor Enhancements

A range of bug fixes and minor enhancements has been addressed in this WinGate release. These
changes and updates are available by clicking the "WinGate Info" link from Start/Programs/WinGate
Program Group.

Simultaneous logins

A policy has been added to control who can logon to WinGate from more than one client computer at a
time. This is useful to prevent users sharing their account details with others. As with all WinGate
policies it is customizable to allow any combination of users or groups.

Automatic detection of a new dial-up connection

WinGate Engine can now automatically detect when a new dial-up connection has been added to your
services. It generates a system message which prompts your for configuration of the new service.

Registry Back-up

This feature has been added to GateKeeper’s advanced options in order to allow you to save your current
registry settings into a re-loadable registry file. This file can be used as a backup or to examine your
configuration details more closely.

Configuration Report

This feature has been added to GateKeeper’s advanced options. It allows you to display troubleshooting
information by producing a text report of the current WinGate configuration. The information can be
saved to a text file.

23
 Improved navigation of the Gatekeeper menus

Some of the menu items have been moved to new areas for improved navigation within the Gatekeeper
screen. The confirmation and syslog options items can now be found in the Options/Advanced drop-
down menu box.

View in the Activity Pane

The display of the sessions – as they occur-, can now be ordered either by computer or by type of
service.

Features Added in WinGate 4.1

The following features were added with the release of WinGate 4.1.

Bug-Fixes & Minor Enhancements

A number of bug fixes and minor enhancements have been addressed in this WinGate release. You are
encouraged to browse these changes and updates by selecting the "WinGate Info" link from the Start
Menu in the WinGate program group.

User Management & Authentication with Windows NT / 2000

New support has been added for integrating the WinGate and NT user databases. This simplifies user
management on an NT / 2000 network and provides stronger NT-based authentication. This feature is
only available with a WinGate Pro license on NT/2000.

Ability to Import & Export WinGate Users

The user import / export database tools enable the administrator to import or export all users and groups
information to and from text files.

24
Users can also be imported and totally integrated with an existing Windows NT or 2000 user database
(feature only available with a WinGate 4 Pro license).

SMTP Proxy with Spam Protection

The SMTP Proxy is an all-new WinGate Service that provides your WinGate network with tighter
control over email and the ability to filter SPAM at the gateway. Feature available with a Pro or
Standard license.

AutoSave for GateKeeper Changes

Enabling this feature means that you will no longer have to manually save each WinGate configuration
change. Any changes to WinGate services will be saved as soon as you click the OK button in a service
or other dialog.

Network Interfaces

New support has been added enabling the WinGate administrator to specify which interfaces are open to
the Internet and which are trusted (private on the LAN).

This provides better support for a wider range of Internet setups (e.g. cable modems, direct router
connections etc).

Universal WinGate Engine

In the past a separate WinGate Engine executable was required for NT and 9x users, thereby enabling a
single WinGate installer for any Windows platforms.

Now the WinGate Engine is a convenient single executable file – this means that it is portable between
NT and 9x systems.

25
Features Added in WinGate 4

The following list of features was added with the release of WinGate 4.

WinGate Network Extensions (ENS)

The Network Extensions (a FREE but optional component for WinGate 4 license holders) dramatically
improve WinGate’s ability to share Internet access and provide security on your LAN. They consist of
General Purpose Internet Sharing (NAT-based), bridging of multiple subnetworks, and a full-strength
firewall that filters TCP/UDP packets

System Messages

System Messages is a diagnostic tool to help you fix common WinGate configuration problems. Each
log message includes integrated support with the help file, enabling you to fix common problems
quickly.

History Component Plug-In

The way history and logging is handled has been changed to support a new architecture that "opens the
gate" for 3rd party plug-in components. This new design includes support for two types of History plug-
in components: separate History Storage and History Viewing components.

InterQuick 2.1 Service Plug-In

WinGate now provides complete plug-in support for InterQuick 2.1. This feature adds pre-fetching,
content-filtering, DNS-caching, banner ad blocking among other things. To learn more about this
product see http://www.interquick.deerfield.com (or read the InterQuick help file if you have installed
this plug-in already).

New Service Startup Options

All services can be configured with NT-style startup options: automatic, manual or disabled.

26
Cloning of Existing User and Service Properties

Click here for more about cloning properties of Users

Click here for more about cloning properties of Services

Ability to clone the properties of existing WinGate Users and Services though a context-sensitive right
click menu in GateKeeper. This feature makes it quicker and easier to setup new users and services.

What Is WinGate?

WinGate is an Internet connectivity server and firewall package that allows you to share a single (or
multiple) Internet connections with an entire computer network. The Internet connection shared by
WinGate can be of nearly any type, including dial up modem, ISDN, xDSL, cable modem, satellite
connection, or even dedicated T1 circuits. Remember that with WinGate all of the computers on your
network can share the Internet simultaneously.

These types of products are traditionally the exclusive domains of network specialists, and there are a
number of concepts that may seem new to you. Keep reading if you don’t understand some of the terms
used, as this manual is packed with explanations in understandable language. You can also check the
glossary included with this help file to look up simple definitions of technical words used.

The primary benefit of WinGate is its ability to allow multiple computers to share a single Internet
connection. This eliminates the need to add additional phone lines, Internet access accounts, modems,
or expensive dedicated circuit hardware in order to provide Internet access to multiple computers. By
sharing a single Internet account and connection with WinGate, a home or business user can provide
Internet access to an entire network with cost savings that can be seen immediately. WinGate is a
unique solution in that it provides three different methods for connecting to the Internet (allowing you to
customize to meet your requirements).

In addition to providing an Internet connection sharing solution, WinGate also protects your internal
network with its firewall component. The WinGate firewall prohibits intruders from accessing your
internal network through your Internet connection by restricting IP addresses that can access your
internal network from the Internet and by binding the ports in the operating system. WinGate can also
be used on Intranets or company WANs that have no Internet connection. Throughout this manual,

27
 Internet connections are normally assumed. In reality this could be any connection (e.g. remote office
dial-up link, etc), via LAN, WAN or Internet.

WinGate consists of two main components and an optional client applet (to implement WRP). The
WinGate engine is a service that runs on the computer that is directly connected to the Internet. This
engine provides the actual connectivity but is not visible to the user. GateKeeper is the control and
configuration interface for the WinGate engine. The WinGate Internet Client (WGIC) runs on client
computers and provides access to the WRS (Winsock Redirection Service).

Once WinGate is installed and your workstations are configured, you are ready to surf the Internet.

Click here to begin installing WinGate.

WinGate Features

Three Types of WinGate Licenses

The following table provides a high level description of what you get with each licensed version. Click
here to see an overview comparison of the features included in each version

A Pro License is fully featured, providing your network with the ultimate in
Internet access. With Pro you have complete control over Internet access on your
network.

Click here to learn more about features only in Pro

A Standard License provides all of the Internet sharing options. Unlike Pro,
there is no user database, and GateKeeper administration is only possible from
the WinGate server.

Click here to learn about features in Standard and Pro

A Home License is a simplified interface, neither requiring nor allowing many

user configurations. The standard services are provided but can not be modified
or deleted.

28
 Click here to learn about features in all versions

Note About Licenses for Standard and Pro:

If you decide to purchase WinGate Standard or Pro then you will also need to consider how many
licenses you will require.

Click here to learn more about how WinGate licensing works.

Features Common to WinGate Home, Standard & Pro:

Click here to learn more about trialing or purchasing a WinGate License!

ENS - Extended Network Support

Extended Network Support provides powerful Internet capabilities to users on your WinGate network.
Built around a virtual device driver, the WinGate network extensions enable packet-level access to
information on the network that enables WinGate to provide the following set of powerful new features:
General Purpose Internet Sharing (NAT-based), Firewall and Port Security, Multi-Subnet Bridging
(Routing). Note that some advanced firewall functionality (advanced port configuration) will not be
available to WinGate Home users.

Winsock Redirector Service

The Winsock Redirection Service provides the Winsock redirection protocol or WRP. WRP allows
nearly all your applications to run as if they are directly connected to the Internet. Once the WinGate
Internet Client (WGIC) is installed on your client computers, no Internet software configuration is
needed. Previous versions of WinGate required each application to be configured manually for proxy
operation. This is no longer required, although any proxy-configured software will still work.

DNS Server

29
The DNS server is a partial implementation. It provides sufficient functionality to use the SOCKS
server for SOCKS4 requests. The WinGate DNS server integrates with the DHCP server to allow DNS
resolution for computer names on your network. If more functionality is required, Mapping proxies may
be used to forward all DNS requests to a full implementation DNS server. Alternatively, you can run a
stand-alone DNS server on the WinGate server.

DHCP

DHCP automates the client network configuration for your entire LAN. With full-auto mode or manual
mode, the WinGate DHCP will configure IP numbers and DNS for all your client computers. DHCP is
only available if you have a WinGate license.

GDP

Generic Discovery Protocol is a new protocol for finding or ‘discovering’ Internet connectivity servers
such as WinGate. It is used in the WinGate Internet Client (WGIC) and GateKeeper for finding
WinGate. Once installed, GDP can be left unattended. It is designed to be fully automatic, requiring no
user intervention.

WinGate Dialer

The WinGate dialer takes the chore out of maintaining the Internet connection. Different ISP accounts
can be configured, and access can be restricted by users groups and other parameters.

Logging and History

All WinGate services will store key information in Log Files named ‘ServiceName.log’ that can be
found in the Program File/WinGate/Logs folder (these can be viewed with any text-editor).

History can be stored or viewed by a plug-in component provided by Qbik or any other 3rd party
software provider. Currently the standard WinGate logging functionality has been implemented as a
plug-in and its existing functionality improved (learn more here).

WinGate Engine Monitor

The WinGate Engine Monitor runs in the System-Tray and tells you whether or not the WinGate engine
is started or stopped. It also allows you to run GateKeeper simply by double clicking on it.

Features Only in WinGate Standard & Pro

30

Click here to learn more about trialing or purchasing a WinGate License!

Security Policies

Rights can be assigned to users for each service or on a global basis. Rights can be defined according to
user/group, location, time of day, or advanced parameters of each particular request.

System Log

The WinGate System Log is a feature designed to assist the Administrator in diagnosing and fixing
specific WinGate or general network problems.

WWW Proxy

The WinGate WWW proxy is a HTTP/1.0 compliant caching HTTP proxy server. It supports HTTP
requests, FTP requests, and SSL tunneling. The WinGate WWW proxy is also a web server, with
directory browsing and on the NT version, even CGI support. Features include the ability to handle
normal (non-proxy) requests in a variety of ways, which makes it a good front-end to your existing
WWW server, or even an automatic site mirroring tool. It also allows cascading through another proxy
or SOCKS4 server.

Note:
In many cases the WGIC (LSP-based Internet sharing) and ENS (NAT-based Internet Sharing) have
superceded the need for proxies. However, proxies are still required if you wish to have per-service
control and can offer advantages in certain situations.

SOCKS Server

The WinGate SOCKS server is SOCKS 4 and SOCKS 5 (RFC 1928) compliant. It supports RFC1929
authentication using the user accounts in the WinGate User Database. The WinGate SOCKS server is
HTTP-aware. It can intercept HTTP requests, and handle them with the built-in WinGate WWW proxy.
This means that even your SOCKS users will enjoy the benefits of the WWW proxy (e.g. caching), and
can be subject to the same security policies.

FTP Proxy

The FTP Proxy provides access to FTP servers. It uses the username@hostname method of firewall
traversal. The FTP Proxy supports non-proxy requests. This allows the proxy to act as a front end to an
FTP server, or to cascade through other proxies.

POP3 Proxy

31
The WinGate POP3 proxy allows access to POP3 servers on the Internet for retrieving email. As with
the WWW and FTP proxies, the POP3 Proxy can act as a front end to your POP3 server, giving you a
seamlessly integrated mail system. It can also be cascaded through other proxies.

Telnet Proxy

The WinGate Telnet proxy provides access to telnet servers. The Telnet proxy in WinGate will support
many telnet clients including Unix. Telnet also supports cascading. The Telnet proxy supports user
login for further security.

VDOLive Proxy

This proxy enables all users on the LAN to enjoy live video using the streaming video player from
VDONet Corporation. You need to ensure you have the proxy-capable version of the VDOLive player
for this. Non-proxy handling also allows you to run your own VDO server, for which WinGate can act
as the front end.

RealAudio Proxy

The RealAudio proxy allows users on the LAN to access RealAudio servers for streaming audio and
video. The proxy-aware version of the RealAudio player (version 2 or later) is required. Non-proxy
handling also allows you to run your own RealServer, for which WinGate can be the front end.

Xing Streamworks Proxy

The XDMA proxy allows Xing Streamworks clients to operate on your network.

Mapping Proxies

The Mapping proxies in WinGate provide generic connectivity for both TCP and UDP applications that
do not support proxy protocols. Enhanced mapping allows mapped links based on user location or dialer
profile. Mapping proxies for TCP support end-to-end encryption. This allows secure WinGate-to-
WinGate connections over the Internet or LAN.

Non proxy capability

The non-proxy request (NPR) capability of many WinGate proxies allows other Internet servers to
integrate seamlessly with WinGate, without conflicts or the need to use different port numbers. Any
non-proxy request to a WinGate proxy can be piped to another server. This also allows WinGate to
control access to other servers, which may not have the flexibility for access control that WinGate has.

32
Features Only in WinGate Pro

Click here to learn more about trialing or purchasing a WinGate License!

Remote GateKeeper Administration

WinGate can be configured and monitored from almost anywhere with GateKeeper (from the Internet if
you choose). GateKeeper communicates with WinGate over an encrypted TCP/IP connection. This is
provided by the Remote Control Service that is available with a Pro license.

Extended User Database

The User database allows logging and auditing per individual user. Groups of users can be defined, and
access rights can be assigned on a user or group basis. You can create nested groups (groups within
groups) for even greater ease of user setup.

User Management and Authentication with NT / 2000

New support has been added for integrating the WinGate and NT user databases. This simplifies user
management on an NT / 2000 network and provides stronger NT-based authentication. Feature only
available with a WinGate Pro license.

Ability to Import / Export WinGate Users

New support has been added for importing users and groups in to WinGate from other sources. The user
database wizard enables the administrator to import or export all users and groups information to and
from text files.

Users can also be imported and totally integrated with an existing Windows NT or 2000 user database.
Feature only available with a WinGate Pro license.

Secure WinGate Authentication

WinGate provides THREE methods of secure user authentication. This affords you even tighter control
over your network, users and Internet connection. And if you have WinGate 4 Pro (or more recent) you
can benefit from NT-based authentication.

Support for Multiple Interfaces

33
 WinGate can make use of multiple Internet connections to give you wider bandwidth and faster access.
Combinations of modems, ISDN and direct connections are configurable on a ‘per service’ level to give
you full control and increased throughput.

Scheduler

The scheduler allows the administrator to control many WinGate and system operations on a regular
basis. Many operations can be automated, including Log file rollover, WinGate shutdown and command
line execution.

Comparison of Home, Standard & Pro

The table below presents an overall comparison of the features that come bundled with each WinGate
license type. This comparison assumes you have at least a basic understanding of what each feature
provides.

Click here to view a description of each WinGate feature (grouped by license type);

Click here to learn more about trialing or purchasing a WinGate license!

WinGate Feature Comparison License Type

HOME STANDA PRO

RD

Runs as a Windows 95 or Windows NT Service

GateKeeper




Session history viewer




Full remote administration


Extended Network Support: General Purpose internet Sharing
(NAT-based), firewall and port security, multiple subnet




routing.

WinGate Internet Client

Winsock Redirection Protocol/Service

34
Multi-language support




(English, French, Japanese, German, Spanish)

DNS server




WinGate Dialup Monitor




WinGate Engine monitor




Generic Discovery Protocol




Caching WWW Proxy with HTTP FTP and HTTPS



WWW Proxy ban list



Non-proxy handling for server integration



SOCKS 5 server with HTTP hand-over



VDOLive, XDMA, POP3, FTP, RealAudio, Telnet Proxies



SMTP Proxy with SPAM Filtering



Telnet user authentication



TCP and UDP Mapped Links with optional encryption



User configurable services



Dialer database




Advanced service logging



Extensive rules



Administrator and Guest built-in users



User database and authentication


NT/2000 user database integration


Import / Export Wizards for WinGate users and groups


Groups

35
 User Auditing


User Accounting


Scheduler


3 level user security: Authenticated, Assumed, Guest


Assumptions based on IP or Computer name


Messaging between authenticated users

Common Terms

This manual uses certain terms frequently. We recommended that you understand all the following terms.
For further advanced explanations, see the Appendix and Glossary.

Windows Service Windows services are programs that run when a Windows computer is started.
You generally cannot see a Window for services. Services are not closed when a
user logs out, only when the computer is shut down. A common example is the
program that allows your mouse to operate, the ‘mouse driver’.

WinGate Engine This refers to the executable component of WinGate, which provides the actual
server functionality (WinGate Services that let you access the Internet). You
cannot see the engine running, as it runs silently as a service. The WinGate Engine
is configured via GateKeeper.

WinGate server This is the computer where you installed the WinGate software. Your network
accesses the Internet via this computer, so it needs a connection to the Internet.

Client computer This is a computer on your network that is not connected to the Internet but gets its
access via the WinGate server. Client computers are often referred to as
workstations.

WinGate Client The WinGate Internet Client (WGIC) provides access to the Winsock redirector
service. This allows client applications to use the Internet as if they are directly
connected.

Gatekeeper Gatekeeper is the remote control and configuration program for WinGate. It is the
user interface for the WinGate engine.

36
License count This is the maximum number of computers that are allowed to access the Internet
via your WinGate server at any one time. This number is 3, 6, 12, 25, 50 or
unlimited, depending on the license you purchase.

License type This is either Home, Standard or Pro.

Client application A Client app is a program that helps you do something, such as read email or read
WWW pages (e.g. Netscape, Eudora etc).

Server A computer or a program running on a computer that provides a service (e.g.

Email server, WWW server).

Proxy A proxy is a program or service that does something for you on your behalf, a
intermediary between client and server. See the later section on Services.

WGIC WinGate Internet Client.

NAT Network Address Translator.

ENS Extended Network Support (a complimentary plug-in for WinGate).

TCP/IP TCP/IP is a network protocol. Computers use this protocol to communicate with
each other on a network. The main protocol in use on the Internet is TCP/IP.

DNS Domain Name Service. This is a useful service that lets you ‘look up’ a
computer’s address on the Internet.

IP number Internet Protocol number. Usually referred to as an IP. This is a computer’s

‘address’ on a network. All your client computers need an IP number. The
WinGate DHCP server will do this for you.

User User accounts allow individual access restriction and monitoring. Any number of
users can be added. New users can only be added in Pro.

Groups Groups are collections of users. WinGate allows nesting of groups. Groups are a
Pro only feature.

Access Rights Rights can be assigned to individual users or groups.

localhost Localhost is a TCP/IP name used to refer to the computer you are using.
Localhost is a computer’s way of saying ‘me’, or referring to itself. If you wish to
use a service that is on the computer that you are using (e.g. logging on to
WinGate for the first time) you use the name localhost. The address localhost is
not included in the license count. The localhost IP address is always 127.0.0.1

Interface An interface is a ‘network connection’, i.e. a way to connect to another computer,

e.g. a network card, a dialer profile, or your local loop back: localhost.

Binding Binding a service to an interface causes that service to listen on that interface. The
WinGate services default to ‘Bind to all interfaces’.

ISP Internet Service Provider. This is the company from who you obtain your Internet
access. I.e. if you have a modem, you ring their phone number.

WRP Winsock Redirection Protocol. WRP is the protocol used by the WGIC and WRS
to provide Winsock redirection services.

37
WRS Winsock Redirector Service. This is the service in WinGate that provides
Winsock redirection.

What Do I Need To Run WinGate?

This is a guide to the minimum system requirements and recommended configurations for running
WinGate. The WinGate server can be installed on any computer on your network, so long as it has a
direct connection to the Internet. If you have a choice, we recommend Windows NT as it has far better
built-in security than Windows 95 or 98.

Minimum Basic Requirements Recommended Configuration

Small LAN: 2-5 users

486 DX2/66 8 Megs ram Pentium 90+ with 16 megs ram

Windows 95/98 Windows NT + SP4

14k4 modem 33k6 modem

TCP/IP Protocol installed TCP/IP and RRAS (Routing and

Remote Access Service for NT
only) installed

Winsock 2 installed Winsock 2 Upgrade Installed (only

if running on Windows 95a)

Medium LAN: 5-20 users

or

486 DX2/66 16Meg ram or better Pentium 90+ with 20+ megs ram

Windows NT +SP4 Windows NT +SP4

33k6 modem ISDN

TCP/IP Protocol and RRAS (Routing and TCP/IP Protocol and RRAS
Remote Access Service) installed (Routing and Remote Access
Service for NT only) installed

Winsock 2 installed Winsock 2 Upgrade Installed (only

38
 if running on Windows 95a)

Large LAN: 20+ users

Pentium 90+ with 32 Meg RAM Pentium 120+ with 32+ megs ram

Windows NT +SP4 Windows NT +SP6

ISDN connection / Leased Line / T1 Leased Line / T1

TCP/IP installed TCP/IP Protocol and RRAS

(Routing and Remote Access
Service for NT only) installed

Winsock 2 Upgrade Installed (only if running Winsock 2 Upgrade Installed

on Windows 95a) (only if running on Windows 95a)

WinGate runs on only one computer on your network. This is commonly called the WinGate or
gateway computer. This computer has the modem, ISDN card or other direct connection to the Internet.
The other computers on the network are referred to as client or workstation computers. The WinGate
server has the modem or other physical connection to the Internet or network to which you are granting
your users access. Later in this guide, you will find details on how to install WinGate on your network.

WinGate runs as a Service. This means it won’t appear as an application on your desktop. The engine
program does the actual work without interfering with the usability of your computer (it runs silently in
the background). The big advantage of services is that they run when Windows starts. No user has to be
logged in for services to run, and the operating system does not close them down when a user logs off.

Introduction To GateKeeper

>> Click on the image hotspots for interactive popup help!

39
GateKeeper is the user interface for WinGate. It is used for all operations on WinGate, all
administration tasks, and any configuration you may do. GateKeeper has been designed to be easy to
understand and use.

PRO GateKeeper will start offline. Use the steps below to connect to
WinGate

GateKeeper will start offline. Use the steps below to connect to

STANDAR WinGate
D

HOME If you have a Home license in WinGate, you will automatically be

connected to WinGate.

Please click here for help on using WinGate Home

40
First Logon to GateKeeper

This applies to Standard and Pro license users only. Both Usernames and passwords are case sensitive.

To logon for the first time, follow these steps:

1. Run Gatekeeper
2. You will be presented with a dialog box ‘GateKeeper_logon’
3. Use these options for the first log on
4. Click OK
5. You will be asked to change your password: enter your password in the ‘Password’ and
‘Confirm Password’ fields
6. Click OK. You are now logged on.

Saving Configuration Changes

Normally you will have to manually "Save" all changes (by clicking the save button) before any changes
to service configurations will be permanently committed. This allows the WinGate administrator to
tweak configurations and test them – if they don’t work out then simply closing GateKeeper would lose
the changes.

We recommend manual saving, but you can configure Gatekeeper to autosave if you prefer this (all
changes are committed when you click OK or Apply in a dialog).

GateKeeper Offline

>> Click on the image hotspots for interactive popup help!

41
WinGate Pro and Standard

In this mode, GateKeeper is not connected to WinGate. There is little you can do when running
GateKeeper in offline mode.

Clicking the online button will bring up the logon screen with the most recent user details and log the
user directly on to WinGate. If you are already online, it will display the current login details

Home License

You will be logged in directly. You will not see GateKeeper like this.

Click here for help on WinGate Home

42
GateKeeper Logon

>> Click on the image hotspots for interactive popup help!

Pro and Standard Licenses

When GateKeeper is run, you will be asked to log in. The dialog displayed above prompts for User and
Server details. The defaults are as shown in the image, use these when you first log on.

Use current Windows login

This option is only available if you are using NT authentication on the server. Enabling this option
allows you to logon automatically, as Wingate will use your current NT username and password login
details.

43
Log on to local machine:

If this option is enabled, logon will be to localhost.

Use these details next time to login directly

If you select this option, you will not be prompted for login details next time you log in. Note that
passwords are never saved by GateKeeper, so you can only use this option if you enable the "Use
Current Windows Login" option.

Home License

This dialog will not appear.

Click here for help on WinGate Home.

GateKeeper Online

>> Click on the image hotspots for interactive popup help!

44
This is the normal view for all WinGate users. Click on the image for further help.

WinGate is controlled and configured using GateKeeper. GateKeeper communicates with WinGate over
an encrypted TCP/IP link, for all configuration, monitoring, and control. Although GateKeeper is used
for configuration, it is not essential for Internet access itself. You do not have to use GateKeeper to
access the Internet.

With a Pro license, Gatekeeper can be used from any computer with a TCP/IP connection to the
WinGate server. This can be the WinGate server, another on your network, or any computer on the
Internet!

The Activity pane is an administrator’s ‘window’ into WinGate. Here all the sessions are displayed and
updated real-time. An administrator can use this screen to monitor and delete any session.

45
 Several symbols are used to indicate various actions taking place in GateKeeper. These are explained
below. All icons in the activity screen indicate ‘sessions’ of various natures. These appear while
sessions are active, and will disappear when a session is finished.

Data sessions

A data session is an instance of any proxy or service use. A data session will always show as being from
a computer (Netbios name or IP) and a user name (or Guest).

User sessions

These are displayed with one of the user icons (see below). User sessions show which users are using
WinGate, and what data sessions they have open. This means, if someone is not authenticated, they will
only appear when they have an active data session. If a user is authenticated, they will appear with a key
icon, and stay in the activity screen until they logout. Logged in users count as a user for licensing
purposes all the time they are logged in. Users are explained in the following section.

Computer Session

Small ‘computer’ icons indicate any computer that is using WinGate. Beside the icon is the
computer name the user is connecting from (if known), or the IP address.

Authenticated User

This (blue shirt) icon indicates a known, logged on user, e.g. Administrator. The word
‘Authenticated’ is shown beside the Users name

Assumed User

Any one who uses WinGate from a known location (e.g. internal LAN), but has not logged
on to WinGate, is shown as an assumed user, in a red shirt. The word ‘Assumed’ is
displayed beside their name.

Unknown User

If WinGate is being used from an unknown location, and the user has not logged on to
WinGate, then they are shown as a masked ‘unknown’ user.

Explanation of Example Above

To be administrating WinGate with GateKeeper, you must be logged in, therefore the Administrator
entry in the activity window is you.

Your network computer name is listed, and branches below are your username and (in brackets) your
security status.

46
 Below that is the session you have open with WinGate. The session is a ‘WinGate Login’ session.
GateKeeper uses this session for communicating with WinGate.

The text to the right shows what command was executed last by that session.

Right-click on your name on the activity pane to get a menu. You will notice in the screenshot below
that the Administrator’s last action was to register for everything, this means logging in.

Sessions in the activity pane are displayed dynamically, as they occur. Therefore, when they stop, they
will disappear from the screen. Clicking on the History button on the tool bar will display all WinGate
sessions that have occurred during the current logon. View the log files if you want more details on the
sessions that have terminated.

Actions in the Activity Screen

Right clicking on sessions in the activity screen opens a context-sensitive menu, which allows a variety
of actions to be performed.

To Delete A Session
1. Right-click the session and
2. Choose Terminate Session
or
1. Select the session and
2. Press the delete key.

Anyone with activity delete rights (e.g. Administrators) can delete any session on the activity screen.

Data Sessions

Any data session can be terminated. This will not affect any other activity for that user. This is
useful if a session has hung, or you do not like what the user is doing.

Remote Control Login

If this is terminated, the user will lose their authenticated state, and revert to an assumed user (if
they still have any other sessions open or there is a location mapping for them), or Guest.

User Entries

47
 Deleting a user entry will cause all the sessions of the associated IP address to be terminated, and
they will disappear from the activity screen. If their computer keeps requesting access, they will
reappear as a guest or an assumed user.

Pause Activity Update

This option allows to freeze the display of activities in the activity screen.

View by Service

This option displays all the activities grouped by service name (as displayed in the screen shot below). It
only appears as a selection item when the "View by Machine" option is currently selected.

View by Machine

This option displays all the activities grouped by computer (as displayed in the screen shot below). It is
the default selection and only appears as a selection item when the "View by Service" option is currently
selected.

48
Send Message to <USER>:

Selecting this will allow you to send a message to any user logged on with GateKeeper. The user can
reply with the reply button.

Copy URL to Clipboard

This option allows the Administrator to copy the selected URL from the activity screen into the
clipboard. Pasting this URL into a browser will show the Administrator that page or resource.

Properties

This option displays several properties of the computer selected.

GateKeeper History Screen

>> Click on the image hotspots for interactive popup help!

49
The History tab page displays the content produced by the History Viewer plug-in component. This is
in line with the open architecture (currently in beta) that allows for third party vendors to supply custom
history components.

Currently Qbik provide the Traditional WinGate Logging as a plug-in component that re-implements
the existing history/logging functionality of previous versions, but with some useful added extensions
(e.g. history filtering etc). This means that this plug-in will still log data to the database located in the
WinGate program folder (history.dbf and history.cdx).

Right-clicking this viewer opens the following context-sensitive menu (you can click on each menu
item to learn more about what they do):

50

Click here to learn more about using the "Traditional WinGate Logging" plug-in.

Click here to learn more about the open plug-in architecture.

About the Traditional History Viewer Component

• Previous session history is available in GateKeeper if you are logged in to localhost.
• Sessions are displayed in the order in which they terminated, oldest at the bottom of the screen.
DNS requests are very fast due to DNS caching and usually display duration of 0 seconds.
• If your system crashes, the database may get corrupted. If GateKeeper does not seem to be able to
log in even though the engine is running, this may be the problem. If you think this is the case, then
stop WinGate, back up the two Database files and remove them from the WinGate directory.
Restart WinGate. If GateKeeper then works, Database corruption was the problem. If not, put the
files back in the directory.

Advanced GateKeeper Options

>> Click on the image hotspots for interactive popup help!

51
 The Advanced options are available by selecting Advanced from the Option menu.

System Tab

>> Click on the image hotspots for interactive popup help!

52
 The three tabs, System, Services and Users allow you to configure various aspects of WinGate.

System Tab

These cannot be deleted, although all but RCS can be disabled. You are only allowed one of each
system service. Only Pro displays the scheduler.

Services Tab

>> Click on the image hotspots for interactive popup help!

53
WinGate Control Panel - Services Tab

The User services section contains services such as proxies or mapped links that the user can add if
desired. Most users need no User services. If you wish to support non-Windows clients on your
network, you will need to add User services.

Double click to edit any service. To add a user service, right-click the user service pane.

Users Screen

>> Click on the image hotspots for interactive popup help!

54
WinGate Control Panel – Users Tab

User options are configured from this tab.

Pro License

Users can be added, edited or deleted.

Standard License

The Administrator and Guest user properties can be viewed and edited.

Home License

This view is not available with Home licenses.

Click here for help on WinGate Home

Configuration Pane

System Service icons

55
 System Service This icon indicates system services that are running.

Stopped System The cross indicates that a service is not running.

Service

System Service The service error icon is displayed if a service could not be
Error started. This usually means a port conflict, i.e. two services
on the same port, or some other service running on the port
WinGate wants to use.

Caching Double clicking this icon brings up the caching properties

dialog.

Dialing All dialer profiles are indicated with this icon.

Scheduler This section holds scheduler information. Pro only.

Users With WinGate Pro, you have the ability to create user names (e.g. Tim, Ben,
Adrien). Doing this means you can set who is able to use WinGate, see how much
data each user has used, and decide who can configure WinGate. These are users
just as in Windows. There are two default users that can not be removed.
Administrator and Guest. Note, only the default users are available in the
STANDARD version.

Groups As in NT, groups are sets of users to whom you assign certain privileges. You might
have ‘Administrators’, ‘Users’ and ‘Dial-in’ groups, each allowing different access
rights. Users can belong to one, several, all or no groups. Groups can not be added
in the STANDARD version. Groups can also belong to groups, allowing nesting for
a hierarchical structure. PRO only

Services This is the heart of WinGate. Listed under services are all the proxy services you
have installed in WinGate, the DNS service and the remote control (GateKeeper)
service. All the services are added edited or configured here. Services must have
distinct names and Ports.

Assumed users This section allows the Administrator to setup user name assumptions based on the
computer that the requests are coming from. Setting these assumptions saves users
the trouble of logging in. PRO only

56
System Policies This section is where the System access rights and policies are configured.

Caching The options here allow the administrator to control what Internet files are saved for
reuse. Many different options are available here.

Dialing This section controls dialup configuration. Double-click (if you have rights) to bring
up the dialer properties dialog.

Scheduler Pro only. This allows scheduling of regular jobs such as dialing, backing up the logs
or running batch files.

System Info A License allows you to use WinGate. Entering information in this section allows
operation of WinGate. Trial keys and paid licenses can be obtained from WinGate
dealers.

User(s) This icon indicates a user in the user database.

Group(s) This is used to show groups in the configuration screen.

Active Service / This icon is displayed next to all the services in the
Services Configuration pane. This icon indicates that a service (e.g.
WRS, DHCP, DNS) is running.

Assumed users This section holds user assumption information.

System policies This section shows system default policies and rights.

GateKeeper File Menu

>> Click on the image hotspots for interactive popup help!

57
GateKeeper View Menu

>> Click on the image hotspots for interactive popup help!

58
GateKeeper Options Menu

>> Click on the image hotspots for interactive popup help!

GateKeeper Help Menu

>> Click on the image hotspots for interactive popup help!

59
History Column Picker

Various columns can be displayed by Traditional WinGate Logging history viewer component. All of
this information will be stored in the database, but typically you will not want to view them all.

60
Troubleshooting

>> Click on the image hotspots for interactive popup help!

The following options are available for tracing configuration problems:

Configuration Report:

This dialog can be used to produce a text report of the current WinGate configuration, including
information such as version numbers, network interfaces, service configuration, etc. The gray text box
provides a preview of the report, which can be saved to a text file by pressing the "Save Report" button.
A list of report sections is displayed on the left, in the white text box. Each section can be included or
omitted by clicking on the corresponding check box.

Enable Debug Logging Mode:

61
 When ticked this option will enable all logging options in all WinGate services and systems. This is
useful if you are trying to trace problems with your WinGate configuration. Usually this option is
disabled. When switched off WinGate reverts to the previous logging options for each service and
system.

Save Registry Settings:

Click this button to save your current registry settings into a re-loadable registry file, which you specify.
This feature can be used to examine your WinGate configuration more closely, or as a backup before
making configuration changes. This button is only visible if GateKeeper is running on the WinGate
server.

Confirmation Options

>> Click on the image hotspots for interactive popup help!

This Gatekeeper dialog allows confirmation dialogs to be enabled/disabled for various operations. This
means that for each of the options selected, GateKeeper will ask you to "confirm" (by clicking OK) this
action first, before it executes it. This is designed to prevent accidental deletions and changes, etc.

User Authentication with WinGate

WinGate authentication is based on either WinGate passwords or Windows NT / 2000 passwords.

This depends on which user database the administrator has chosen to base his/her policies on. You
should learn about these approaches before learning how to implement authentication:

62
 Basing authentication on WinGate user database passwords;

Basing authentication on Windows NT / 2000 user database passwords;

There are THREE ways of getting users to authenticate (supply a name and password) for key WinGate
Services. All of these methods are only available with a Pro license.

1. Users can authenticate for WWW Proxy Service with the WinGate Java logon
applet (click here for more )

2. Users can authenticate for WRP Service with the WinGate Internet Client login
dialog (click here for more )
3. Administrators must log on with Gatekeeper to configure and monitor WinGate
(click here for more )

1 WinGate Java Logon Applet

The WinGate Java logon applet is a multi-purpose tool for authenticating WinGate users. The applet is
loaded by any web browser when ALL of the following are true:

• The web browser is set to connect to the Internet with the WinGate Proxy
• The WWW Proxy Service is configured to "Use Java Client authentication as required by
policies" (enable this with the checkbox on the General Tab of the service properties)
• The System or Service Policies require that the "User must be authenticated" (this option is
available by double-clicking a policy recipient e.g. Everybody)

63
 Though the user must use a web browser to load the applet, this authentication works for WinGate
Services other than the WWW. For example, you can configure the FTP Service to "User must be
authenticated". To authenticate themselves, (if the WGIC is not running) the users simply start their
web browser and logs into the Java Applet. Once the login is complete, the users can start the FTP client
and will be authenticated.

Also, note that the Java Applet will only appear when a particular user requires a higher level of
authentication for the request being made. For example, if you configure the WWW Proxy Service to
"User may be assumed" then the applet will only be served to non-assumed users.

Finally, the SOCKS Proxy Service will also serve the client if "Refer HTTP requests to caching
HTTP Server" is enabled. (Socks Advanced Tab on the SOCKS Service properties).

2 WinGate Internet Client Logon Dialog

You can require users to securely authenticate themselves through the WinGate Internet Client (WGIC
login dialog displayed above). This is configured in the WRP Service policies using GateKeeper (if it
was on the WGIC then users could simply turn it off/on at their own leisure).

Requiring users to authenticate for WRP has the following advantages:

 Prevents unauthorized users gaining Internet access from unattended computers;

 Prevents users installing their own unauthorized copy of the WinGate Internet Client;

 Provides improved control and logging of individual users;

Steps:

64
 1. In GateKeeper open the properties for the WRP Service
2. Click on the policies tab
3. Double-click on the policy recipients (typically this will be "Everyone")
4. Select the "User must be authenticated" option from the radio button group:

5. Now click OK and make sure that you have configured the "Default rights (System Policies):"
combo box appropriately (typically this will be "are ignored")
6. To learn more about integrating Service Policies (apply per-service) and System Policies (apply
to all services) click here!

Now all client computers will be presented with the WGIC logon dialog the first time an application
attempts

Note for WinGate Standard License Users:

Although the client authentication will still work, you will only be able
to authenticate for Administrator and Guest (since these are the
standard users and the database is only expandable with a Pro License).

3 Administrator logon to GateKeeper

65
 GateKeeper is used to control and configure the WinGate Engine. It communicates with the engine
using the Remote Control Service so this is the service that you are authenticating for (and is the highest
level of authentication). WinGate administrators (and other users with GateKeeper access rights) must
logon to GateKeeper with the following information:

Username: A WinGate user account (not Windows)

Password: The password for the WinGate user account entered.

Server: The network name or IP-address of the computer that

WinGate is running on.

Port: This will always be Port 808 (unless you explicitly

change the port that the Remote Control Service runs
on).

If you are having problems logging into GateKeeper then check the bindings on the Remote Control
Service (make sure that this service is bound to the interface that your connection will be received on).
Also, note that if you do not have an administrator password set then WinGate will not allow this service
to bind to any publicly visible interfaces (e.g. the Internet). This is to prevent intruders from the Internet
zone logging into your WinGate engine and making changes.

About Insecure Authentication with Telnet:

In addition to the above, users can make use of insecure authentication in Telnet or SOCKS 5 to achieve
an assumed level of authentication. Follow the links to read more about implementing these methods.

66
WinGate Services

Services are the heart of WinGate operation. WinGate Services can only be configured with a Standard
or Pro License:

√ System Services
Software Servers are programs (or parts of programs) that run on one computer to provide a service to
many other computers or users. Examples of this are Email servers and FTP servers. WinGate has
WRS, DHCP, DNS, GDP, SOCKS, Remote control, and a basic Web server.

√ User Services
These include Proxies for individual protocols and TCP/UDP Mapped Links.

User services allow client computers to access external servers of the clients’ choice, but do not actually
do the serving themselves. Proxies do something on your behalf by passing client requests to the
external server. WinGate has WWW, POP3 (email), FTP, Telnet, Streamworks, VDOLive and Real
Audio proxies.

Pipes are the most basic user service. Pipes simply redirect requests to another location. WinGate has 2
types of Pipe - TCP and UDP mapped links.

By default the WinGate installer will add the standard services and start them on standard ports. You
may already be running a server application of some type (e.g. a FTP server or WEB server) or you have
other certain requirements. In this case you may need to run the WinGate service (or the server) on a
different port. The next section has details on how best to integrate with other servers. This is because
only one application on a computer can listen to a given port at any one time.

All services are highly configurable. Each service however has its own configuration requirements.

Tab Service Description

General All This has the name and description of the Service, and the port on
which connections are accepted. It also allows you to configure
startup options such as manual, automatic and disabled.

Bindings All This tab enables the administrator to specify what interfaces allow

67
 incoming requests for that service. The interfaces listed are all
possible interfaces on the WinGate server.

Policies All Every service has its own rules. There is an option to include
default policies. If these are included, then privileges from ‘Default
Policies’ will be included.

Logging All All services can be ‘logged’ or Audited. Logging records details
about how each service is used. The time of each event is saved.

Sessions All bar DHCP This tab has configurable timeouts for the service, and some
services can limit the number of connections.

Interfaces All bar DNS & This tab allows specification of which interfaces are used for
DHCP outward connections. This enables combinations of multiple
modem, ISDN or direct connections.

Connection All TCP proxies This tab allows the administrator to choose how the proxy makes
and mapped the connection to the Internet. Choices include Directly, Cascade,
links SOCKS4, or SSL.

Non Proxy All Proxies bar This tab enables the Administrator to integrate other servers with
request Telnet WinGate, by dealing with requests on the port that are not in the
Proxy request form.

DHCP Mode DHCP Allows selection of the mode of DHCP operation, from Fully
automatic to manual.

DHCP Settings DHCP The DHCP service has many configurable options. The settings tab
allows configuration of these options including scopes leases and
reservations.

Mappings Mapped links This tab controls configuration of mappings per user or location.

Encryption Mapped links This tab configures encryption options that are available for
Mapped links.

SOCKS SOCKS This contains several options relevant to SOCKS including HTTP
Advanced hand-over and options for SOCKS requests.

Adding Services

68
 Adding new User Services from GateKeeper is a simple procedure. All services are displayed and
configured from a standard dialog. Below is a generic guide to adding services in WinGate:

1. Right click any service and select ‘new service’

2. Choose the service to add

3. Type in a unique name for the service and a description

4. Choose the port for the service to run on, or accept default

5. Click OK.

The service is now configured. Use these as a guide to the service icons.

Active Service This icon is displayed next to all the services in the Configuration pane.
This icon indicates that a service (for example HTTP, FTP or DNS) is
running.

Stopped Service The cross indicates that a service is not running.

Service Error The service error icon is displayed if a service could not be started. This
usually means a port conflict, i.e. two attempting to bind and run on the
same port.

Integrating WinGate with other Servers

Back to Services

Some computers have servers other than WinGate running on the WinGate server. Most (probably all)
of these servers will run alongside WinGate very smoothly.

Servers on the WinGate server

If you do not use WinGate proxies, simply install the Server software as normal. WRP does not listen
on server ports such as 80, so there will be no conflict.

Servers on client computers

WRP gives you enormous flexibility to run server applications on your client computers. Before WRP,
servers needed to be either run on the WinGate server or on a client computer with mapped links on the

69
 WinGate server. This required knowledge of how the server worked, and meant that WinGate required
reconfiguration when changes were made.

The WGIC allows any computer on your network to run any Internet server software. These servers are
installed and run as if they are directly connected to the Internet. When a server is running it is
‘listening’ on a certain port, e.g. 110 for POP3, 80 for WWW. When another computer wants to contact
the server, it makes a connection to the IP of the server, on the port that server is listening on. When the
WinGate client is installed on to a computer, the process works differently.

Instead of listening to the port on the local computer, WRS allows the server to listen to that port on the
WinGate server. Any connections to that port are redirected to the client computer running the server
application.

If you have a server on your LAN such as an Intranet WWW server, you probably don’t want Internet
access to the server. For security reasons, this is actually the default configuration for the WinGate
client. If you do want to allow external access, simply open the Control panel, open the WGIC icon, and
select the service that is allowed access.

The WG Client is intuitive. When it recognizes that an application is trying to bind (this means listen) to
a port, it knows that that application is a server-style app (i.e. it listens for incoming connections). It
looks at the name of the application, and it saves this with any port information. If the port used is less
than 1024 then the application will be local access only by default. If the port is higher than 1024 then
external access will be allowed. When you open the control panel applet, its name and details will be
listed, and you can select a mode.

WRP Application Modes

General Tab

Back to services

>> Click on the image hotspots for interactive popup help!

70
Bindings Tab

Back to services

>> Click on the image hotspots for interactive popup help!

71
 The Bindings tab is central to the security of the WinGate firewall. Binding a service to an interface
means that that service is only accessible if the connection comes in on that interface. With WinGate,
bindings can be configured to allow access on one, several or all of the available interfaces. The
Bindings tab lists all the available interfaces. LAN cards, Dialer profiles and the localhost address will
be included. You can select the interfaces that are allowed access to the service.

For example:

On most LANs, you want your WWW proxy to only be accessible to the people on your network.

Simply select the ‘Specify interfaces…’ option and ensure that your LAN card (probably 192.168.0.1)
and localhost (127.0.0.1) are the only items in the ‘Bound’ list.

In the picture above, we have bindings to the LAN card and 203.96.8.238, which is on the Internet.
We specified this card so we can let people look at our web pages. We would enable this by selecting
the ‘Specify interfaces connections will be accepted on’ option.

Note that without a binding to 127.0.0.1, the local computer can not use that service.

Standard users:

Standard users will find that their remote control service can only bind to 127.0.0.1. This is a license
restriction. Upgrading to Pro will allow the service to be accessed from computers other than the
localhost. This demonstrates the working of bindings. Only computers connecting to 127.0.0.1 can

72
 connect, and because that has to be the computer that WinGate is on, then you can only connect to
WinGate on the local computer.

Typical Binding suggestions:

• Allow binding to only your LAN addresses for the telnet proxy
• Allow all bindings for a mapping to a SMTP server
• If you run a WWW server through WinGate, allow all interfaces
• In general, you do not need bindings to your dialer profiles.

Security tips:

For the best security, only bind each service to your LAN card and localhost. If you have multiple
segments, bind to each segment. Don’t allow any bindings to dialer profiles.

Interfaces Tab

Back to services

>> Click on the image hotspots for interactive popup help!

73
 With the Interfaces tab, you can specify what interface is used for the outgoing connection. Usually you
can accept the default option of ‘Any interface’. In the example above, we have selected to only make
outgoing requests on the interface 203.96.8.238. This interface has a full-time connection to the Internet
and is the fastest, so it makes sense to do so. If you wanted to disable that card, it is not working or was
too slow, we might change this to IPROLINK, a dialed connection to an ISP.

The real advantage of this tab is the third option. Rotating connections allows multiple interfaces to be
used. If you have say an ISDN and a T1 connection to the Internet, you can put both in the ‘In Use’ list.
Next time a request is made to WinGate for a Web page on the Internet, WinGate can use the least
recently used interface that is listed. This allows a greater bandwidth than a single connection, meaning
better speed. The connections are used concurrently. In NT you can have multiple modem connections.

Advanced Interface Setup – Cable Modem and Direct Router Connections

The WinGate administrator can specify which interfaces are open to the Internet and which are trusted.
This provides better support for more Internet connections (e.g. cable modems, direct router connections
etc). Learn about advanced interface setup here.

Set & Forget Firewall - WinGate Services are Firewall Aware

When you bind a WinGate Service to an interface / port combo that is blocked by the firewall, WinGate
will offer to create a "hole" (we recommend allowing WinGate to do this for you). Of course when you
unbind or delete the Service the "hole" will be automatically blocked again by the firewall.

74
Tips & Tricks:
• You cannot have multiple instances of a Dialer profile in Windows. To enable multiple connections
with the same details to the same ISP, simply create a 2nd dialer profile with a different name but
otherwise the same details. Select both of these in the interfaces tab.
• With this mechanism, you can ‘reserve’ a connection for special events. You may have two ISP
accounts. One slow but cheap, one fast and expensive. You could make most of the services use
the cheaper dialer profile, while FTP could use the fast connection. As FTP downloads are less
common than email use or normal surfing, the expensive connection is used less frequently. You
could also setup a second HTTP proxy that only uses this fast dialer profile, and only allow access
to certain people.
• In fact, the request is made via the interface that was first online, but when the data is returned, it is
sent to the specified interface.

Sessions Tab

Back to services

>> Click on the image hotspots for interactive popup help!

75
 The Sessions tab allows you to control some details of the connection made through WinGate. DHCP
does not have this tab.

Timeouts

Timeouts are essential. Their function is to monitor all WinGate sessions, and if any of those sessions
are not active in the specified time, they are terminated - 60 seconds is the default. This period has no
bearing on the hang up time for any modem connection. It is essential to remove or increase the timeout
on the Remote control service if you wish to stay logged in for any length of time.

Policies Tab

Back to services

>> Click on the image hotspots for interactive popup help!

76
 This picture shows the policies tab with the drop box activated. Policies are details in the WinGate
Policies and Rights section.

Non-Proxy-Request Tab

Back to services

>> Click on the image hotspots for interactive popup help!

This setup will make use of a Web server running on the WinGate server on port 8080.

Connection Tab

Back to services

77
>> Click on the image hotspots for interactive popup help!

This tab allows control over the method used to make the connection.

Directly

This option is the default. Use direct connection when the WinGate server is directly connected to the
Internet.

Through cascaded proxy server

This will cause the service to connect via the service on the specified computer and port. Use this option
if you normally access the Internet via another proxy server. Many ISPs have HTTP proxies (usually on
port 8080). Large networks may also have multi level cascaded caching.

Through SOCKS4 server

This causes connection via the specified SOCKS4 server, with the specified password.

78
Through HTTP proxy with SSL support

This option uses SSL tunneling via the HTTP proxy specified.

Option boxes:

These edit boxes are enabled according to the option selected above. If you are connecting to a cascaded
proxy or SOCKS4 server, enter the details for the server required.

Logging Tab

Back to services

>> Click on the image hotspots for interactive popup help!

This tab is standard for all WinGate Services. For details on what the available options mean see:

Auditing and Logging

79
Change Password

Allows the current user to change their password for accessing GateKeeper. This option is not available
in WinGate Home as GateKeeper is not password-protected.

To change your current password:

1. Enter your current password
2. Enter your new password
3. Enter your new password again
4. Click OK.

Logon and Online Options

80
This is the dialog presented upon hitting the Logon key, or the online options ‘spanner’ button.

Note:
These options above are what you should use the first time you log on to WinGate.

System Info - General Tab

>> Click on the image hotspots for interactive popup help!

81
 The System Info tab provides information on license details, computer type and Operating Systems.

System Info - Bindings Tab

>> Click on the image hotspots for interactive popup help!

82
 The Bindings tab provides information on current interface bindings for each installed WinGate service.
It is a valuable tool for troubleshooting service problems.

Click here. to learn more about how to configure bindings for a service

WinGate Engine Monitor

The WinGate Engine Monitor is a tiny application that runs in the Windows system tray (the right hand
bottom corner of the screen). It will be configured to load automatically when Windows starts up.

The purpose of the Engine Monitor is to tell you whether the WinGate Engine is currently in stopped or
started mode. When the engine is stopped WinGate will not be working (and you will not be able to share
an Internet connection with client computers).

The WinGate service is started and running.

83
 The WinGate service is stopped.

Right-clicking the WinGate Engine Monitor icon will open a menu, which allows you to:

 Stop WinGate

 Start WinGate

 Open GateKeeper.

Network Interface Setup

>> Click on the image hotspots for interactive popup help!

84
 The advanced "Network Interfaces" dialog displays all of the interfaces that WinGate has detected for
the computer it is installed on. Normally WinGate can determine whether an interface is trusted or public
(visible from the Internet so not trusted). It does this by checking whether a given IP is in a public or
private address range (dialup connections are also interfaces and are assumed to be public).

However, sometimes an interface with a private IP address can in fact be directly connected to the Internet
(via some type of gateway such as a router or cable modem). In this case such an interface should be
specified as "public" and not trusted.

Important Note:
The default configuration will normally be correct. Do NOT change the default settings for an interface
unless you are sure that it should be "untrusted".

AutoSave for GateKeeper Changes

How to Access the AutoSave Feature:

From the GateKeeper main Options menu you can toggle AutoSave ON and OFF.

When you enabled "AutoSave" all changes will be permanently committed when you click OK in a service
or any other dialog (i.e. saved to the hard disk). This feature is great for experienced users as it speeds up
the process of making changes to a WinGate configuration.

85
Scheduler

>> Click on the image hotspots for interactive popup help!

An important feature of WinGate Pro is the Scheduler. This feature allows you to automate many
WinGate procedures.

What is it?

The Scheduler is part of WinGate that does work for you at predefined times or intervals. It can do many
WinGate functions, as well as running command line programs. The timing is configurable from minutes
to months.

What does it do for me?

The scheduler can automate WinGate operations, such as backing up your log files, purging cache files,
starting the dialer, and starting and stopping the WinGate engine. Also, WinGate can run external
programs, including batch files. This gives you unlimited ability to automate your system. Entire system

86
backups, uploads and downloads and many other procedures can be run at predefined times over any
interval.

Do I need it? Will I use it?

This is completely up to you. Scheduling simply allows you to save time by doing an operation once, and
being able to have it done automatically thereafter. Many people need to do a regular back up of their
WinGate and other log files to prevent them getting too large. If you schedule a weekly backup, log files
will never reach an unmanageable size. It is usually easier to set up a schedule for a job than doing the
job itself! You don’t have to use the scheduler, but it is generally easier, safer, and less time consuming.

How do I use it?

Setting an event is easy. One decides on an action or actions and a time interval or instance. Later
sections detail all the operations available. Simply select the action (such as roll over log files) and the
interval (probably a week for logs). That’s all there is to it. Some operations, such as executing batch
files allow you to control non-WinGate operation.

Scheduler logging

>> Click on the image hotspots for interactive popup help!

87
Add Event

>> Click on the image hotspots for interactive popup help!

88
Event carry out the actions in the order listed.

Events

Schedules are made up of an action and an occurrence.

Actions

The action is "What happens".

You can schedule one or many different actions in a single event:

• Start/Stop one or all WinGate services
• Dial/hang-up dialer profiles
• Execute a command line

89
 • Rollover the log/audit files
• Export/reset one or all user account details
• Terminate sessions
• Purge the cache
• Run a command line.

Occurrences

The occurrence is "When the action happens".

These can be a single or a regular occurrence.

Regular occurrences can be hourly, daily, weekly, or monthly, at any time of day.

Scheduler Actions

The following actions can be scheduled in an event.

Action Options Description

Stop Service Any WinGate service Stops the specified WinGate service

Start Service Any WinGate service Starts the specified WinGate service

Stop all services None Stops all WinGate services except the
Remote control service

Start all services None Starts all WinGate services

Dial profile Any WinGate dialer Dials the selected dialer profile
profile

Hang-up profile Any WinGate dialer Resets the selected dialer profile
profile

Roll over log files None Starts new empty logs with the name
format <servicename>.<rolloverdate>.log

Roll over audit files None Starts new empty logs with the name
format <username>.<rolloverdate>.log

Export user accounts Filename for the details to Exports the user account details in a tab-
be exported to, Append delimited form. Click for details

90
 Reset user account Any WinGate user Resets a specific user account.

Click for details

Reset all user accounts None Resets all user accounts. Click for details

Purge cache None Initiates a cache purge, as if you had hit

the ‘Purge now’ button on the caching
options

Terminate all sessions None Kills all current WinGate sessions

Execute command line Command line This option allows a command line to be
executed and whether or not to have it
Run hidden visible. Click for details

Roll Over Audit/Logs

These actions allow archiving of the WinGate records. If left too long, the log and audit files get very
large and unmanageable. Having regular roll over events will make for a more organised system of
record keeping. Service logs in particular get very large, and it is sensible to roll over at least every week
on a busy system.

The action of rolling over the logs will:

• Save new empty logs as <servicename>.<rolloverdate>.log in the same directory
• Append to any logs on the same name.

The action of rolling over the audits will:

• Save new empty audits as <username>.<rolloverdate>.log in the same directory
• Append to any logs on the same name.

Example:

Before service files are rolled over.

Name Size Date

www proxy.10Mar97.log 16852 10/3/97

pop3 proxy.10Mar97.log 10266 10/3/97

91
After the roll over (on the 17th).

Name Size Date

www proxy.17Mar97.log 0 17/3/97

pop3 proxy.17Mar97.log 0 17/3/97

www proxy.10Mar97.log 16852 10/3/97

pop3 proxy.10Mar97.log 10266 10/3/97

Note:

If you are viewing the logs with the logfile viewer, make sure you hit the refresh button. The log files
may get cached by your browser, and serve you a previous copy until you refresh.

Export User Accounts

Using this action allows the administrator to export the summary details from the user accounts to a single
file. This file is in a tab-delimited format for easy import into a database. Typically, this action will be
followed by a ‘Reset all user accounts’ action.

Options:

The ‘To File’ option in the action dialog can be a filename in the WinGate directory such as

user-accounting.txt

or a path from the WinGate directory

audit\user-accounting.txt or ..\user-accounting.txt

Any suitable file name can be chosen.

The ‘Append to existing file’ option allows the exported data to be appended to the existing file, rather
than replacing the existing data.

92
Fields:

These are the exported fields. Each are separated by tabs:

Timestamp

Username

Real Name

Client Send (bytes)

Client Received (bytes)

Server Send (bytes)

Server Received (bytes)

Time (seconds)

Opening

Closing

Example:

While the format may look ‘crooked’, the gap between each field is a <tab> character, and is the standard
text import format.

11/11/97 15:44:04 mary-bob 80085 3053 0 0 1455 0 0

11/11/97 15:44:04 Guest 194 0 0 0 0 0 0

11/11/97 15:44:04 jimmy-sue 0 0 0 0 0 0 0

11/11/97 15:44:04 Administrator 173734 12906 0 0 6957 0 0

Reset All User Accounts

This action, for all users:

• Resets all Accounting Quantity values to zero. That is, client/server bytes sent/received and seconds
online.
• Sets the opening balance to the previous closing balance.

93
The same actions are carried out for a single user if the ‘Reset user account’ option is chosen.

Execute Command Line

This action can run command line programs on the WinGate server, at the specified time. If you wish to
run several programs for this event, you can execute a batch file.

Remove Event
This will delete the selected scheduler event.

Do Now
Immediately runs the selected scheduler event.

Scheduled Events
This is the list of events that are stored in the scheduler. Each event may contain multiple actions.

Move Action Up
Moves the selected action up one position. Actions are executed in the order in which they are listed.

Move Action Down

Moves the selected action down one position. Actions are executed in the order in which they are listed.

Occurrence
The occurrence is "When the action happens". These can be a single or a regular occurrence. Regular
occurrences can be hourly, daily, weekly, or monthly, at any time of day.

Description
Use this field to give a useful name to the Event.

The event can be enabled or disabled with the 'Enable event' checkbox.

94
Remove Action
This deletes the selected action from the action list for this event.

Generic Discovery Protocol - GDP

>> Click on the image hotspots for interactive popup help!

GDP is a protocol developed by Qbik New Zealand for ‘finding’ or ‘discovering’ Internet connectivity
servers (such as WinGate). It is used by both the WinGate Internet Client (WGIC) and GateKeeper for
finding WinGate. Once installed, GDP can be left unattended. It is designed to be fully automatic,
requiring no user intervention.

The GDP service listens to the system port 368 for broadcast messages sent out by clients. When the
WGIC is running on client computers, it broadcasts a ‘discover’ request to locate WinGate servers. These
are listed in the WinGate Internet Client control panel app.

GDP Guidelines:
• You only need one GDP service

95
 • It must be on port 368
• GDP is required for the WRP clients to automatically find WinGate
• GDP should only be bound to your internal LAN adapter/s
• Generic Discovery Protocol is sometimes called Gateway Discovery Protocol

Winsock Redirector Service

>> Click on the image hotspots for interactive popup help!

The WRS provides the Winsock Redirection Protocol. This is detailed in the WRP section of this
manual.

WRS Guidelines:
• The standard port is 2080
• The service should only be bound to your internal LAN adapters
• You need WRS for the WinGate Internet Client

96
WWW Proxy Server

>> Click on the image hotspots for interactive popup help!

The WWW Proxy provides access to the Internet for clients that use the HTTP protocol. This includes
mainly browsers, but some other applications use HTTP as well (such as RealPlayer and the VIVO player
software).

WWW Guidelines:
• WinGate’s WWW proxy supports HTTP, Secure HTTPS and FTP
• The usual WWW proxy port is 80. This is configurable
• Web Servers also usually run on port 80
• The proxy supports Cascading and Non-Proxy request handling
• Users with a Java-capable browser can authenticate with WinGate. using the Java client

97
 Multiple WWW proxy services can be configured on different ports, but of course they must be
uniquely named.

Request Types

The WWW Proxy Service can be configured to serve both Proxy and Non-Proxy requests. This
means that the proxy can have two different modes of operation, depending on the type of request
that is received. The WWW Service allows you to handle non-proxy requests (usually from users
outside your network on the Internet) in special ways. Click on the image below for pop-up help on
each action.

Caching

The WinGate WWW Proxy provides HTTP caching. HTTP Caching is the process of storing
recently accessed graphics, HTML documents, Java applets or any other Internet files on the
WinGate server, to facilitate their speedy retrieval for the next time that they are requested from
any computer on the network.

WinGate will only cache HTTP requests that use the "GET" method. WinGate will not cache
FTP requests, any request that contains a query string (e.g. the response to any form submission),
or any web page that requires authentication. In addition to this, you can also specify specific
rules for what WinGate will cache.

98
 See: Cache Management

Site Retry Order

If the requested URL does not exist, the WWW proxy will now attempt to connect to URLs based
around that name. This allows one to simply type ‘microsoft’ to get to microsoft.com or ‘cnn’ to
get to www.cnn.com. This order is configurable in the registry and will search sites in the
following manner:

http://site/

http://site.com/

http://www.site.com/

etc…

To add site searches see Advanced WinGate Configuration

See also:

Adding a WWW Proxy server

Cache Management

Reject Request
By default, WinGate will reject any non-proxy requests received.

Pipe Request to Predetermined Server

If you select this option WinGate will pipe the request to another server. Typically (though not
necessarily) this would be a web server somewhere on your network or on the Internet. It is effectively an
active Mapped Link that listens on the same port as your WWW Proxy.

Cache non-proxy This is recommended if you are redirecting requests to another

requests computer on the LAN. It means that WinGate will store commonly
requested resources in cache to speed up retrieval for the next time
it is requested.

99
Prepend resource If you wish to use a different directory than the default server root
with then use this option e.g. the server root is "C:\root" but you
want to point users at "C:\root\public\company\". Enable
this option and enter "\public\company" in the prepend field..

Click here to learn more about Mapped Links

Redirect Client to Predetermined Location

If you select this option WinGate will "redirect" the incoming request to a specific URL. This is similar
to "Pipe request through to predetermined server" except that it assumes the request comes from a web
browser, and allows the user to specify a page.

This allows you to accept and redirect web site requests from one domain, when it is actually hosted
from another (e.g. your domain is www.mycompany.com but your site is hosted by www.someISP.com)
- this feature allows your users to reach your site from www.mycompany.com.

Using the Web Server

>> Click on the image hotspots for interactive popup help!

100
 Back to WWW Proxy Service

What exactly does a web server do?

Browsers (Netscape and Internet Explorer) talk to web servers in order to retrieve some resource
(normally an html page) from a specific URL. The web server program runs on a computer somewhere
on the Internet waiting for users to request html pages. When it gets a request (in the form of a URL), it
will attempt to retrieve the resource and send it to the requesting user.

You can configure the WinGate WWW Service to act like a web server to any incoming non-proxy
requests. This means that when it receives a non-proxy request it will attempt to "serve" a resource
(normally an html page) to the client.

How and when do I use it in WinGate?

There is only one way to use the web server built into WinGate. It is enabled from the "Non-Proxy
Requests" tab on the WWW Proxy Service properties by selecting "Serve request" (and configuring the
web server settings to meet your requirements). It is useful if you want to serve a public company web
site from WinGate or a private Intranet accessible only to users on the LAN.

101
 In the example above, the WWW Proxy Service is configured to "serve" the html page "default.html"
from the directory "C:\inetpub\wwwroot" (or any subfolders). If a user somewhere on the Internet
points their browser at this WinGate server (by external IP or domain name if it has one), their browser
will display the "default.html" page. Note that all further links on the "default.html" page will guide
the browser to other resources that may or may not be stored on the WinGate server.

Advanced web server setup

CGI (Common Gateway Interface) is an Internet standard for small programs (called scripts) that
reside and run on the web server. Web pages often contain "forms" – the fields that you type in and the
combo boxes that you select things from.

When the user clicks the button to submit the information entered on the form, the web server will
execute the specified script and pass the information to it for processing. Most often the job of the script
will be to enter that information in a database, or generate a new html page based on the users
information entered.

It is important to note that where a script is generating a new HTML page, it must generate the entire
page including all header information (NPH only – Non-Parsed Headers). Some web servers will
generate the header information for you before serving the page, but this WinGate implementation will
not.

Permit directory browsing

This option determines whether or not users are able to browse and
retrieve the contents of the web server root directory from their web
browser. Note that access to directories is strongly restricted to only
the nominated "Server root directory" (and any sub-directories
inside it) – see example below.

When this option is enabled users may type in path names and will
be served up a directory structure, from which they can select, view
and retrieve files. This feature may be useful if you want users to be
able to access more than just html web content remotely. The safest
and recommended approach is to disable this option.

For example, in the directory tree on the left users would not be able
to access "ftproot" or "Inetpub" but would be able to access
"company", "oldsite" etc.

102
Server root directory and filename
Server root directory This is the root directory on the local disk where all Internet
resources will be retrieved from (typically called wwwroot). Any
sub-directories specified in a URL are appended to this pathname to
locate resources.

Default filename The default filename is the html page that will be served when no
page is specified by the URL. Typically no page is specified when a
user first connects to a given URL and so this is normally the home
page filename.

Enable CGI interface

CGI (Common Gateway Interface) is an Internet standard for small programs (called scripts) that
reside and run on the web server. They are most often used to process information sent from the user via
an html form (edit, combo and list boxes on web pages).

CGI Directory The directory on the local drive where the CGI script programs
are stored (usually this will be a sub-directory of the www root
directory).

CGI URL Prefix The name of the directory where the CGI scripts reside on the
local disk. No CGI script will execute unless it exists in the
root of this directory (note that it cannot be in a sub-directory
either)

CGI user name Sometimes a script will require a username and password (with
sufficient privileges) to execute some task on a server. Enter
the user name here.

CGI user password The password to go with the user name entered above. Make
sure you enter it in the correct case.

103
SOCKS5 server

>> Click on the image hotspots for interactive popup help!

SOCKS is an Internet standard for basic connectivity through a firewall. Many Internet products that
have the capability to connect through a firewall, support the SOCKS standard. These include
applications such as; most WWW browsers, some FTP client applications, some IRC applications etc.
Client software supporting this standard can generally operate transparently, meaning they appear to be
directly connected to the Internet. In addition there is software available to "SOCKSify" applications
automatically, so that even if the client software does not itself support SOCKS, then all its connectivity
requirements can still be satisfied using the SOCKS protocol. This type of software is known as an
AutoSOCKS client, and there are a number of different vendors that provide such software.

For users with an AutoSOCKS client, the SOCKS proxy gives you all the proxy access without the need
for any other WinGate proxies. You may still choose to run the other WinGate services if you have
servers such as Mail, FTP or WWW or if you require logging.

The port number for a SOCKS server is normally 1080.

104
 There are currently two versions of the SOCKS standard in common use on the Internet. These are
SOCKS version 4, and 5. SOCKS5 adds some important functionality over SOCKS4, which includes
support for SOCKS client authentication, and also support for UDP.

WinGate SOCKS server supports both SOCKS4 and SOCKS5.

Some SOCKS5 clients can use ‘RFC1929’ (an Internet ‘standard’) authentication. This uses a username
and password transmitted as clear text. When a user connects to WinGate, WinGate evaluates the
client’s current level of authentication (Unknown, Assumed or Authenticated), depending on what it
already knows about the client. If the user is unknown, and you have the option "Use RFC1929…."
enabled, then WinGate will require the user to use this method to raise it’s security level to Assumed.
Otherwise, the client will not be required to use this method. There is a special case here. If a user is
assumed to be someone that has no rights to use the SOCKS server, then WinGate will still allow the
user to authenticate (using RFC1929). Provided that the user then authenticates as someone with rights
to use the SOCKS server, then they will be granted access.

RFC1929 is not very secure, and we recommend that you do not use this method if you are
authenticating across an untrusted network, such as the Internet. Because this method is not secure, a
user that has used this method will raise their security level only to assumed, not authenticated.

Client software that uses SOCKS4, requires DNS to be available on your LAN. DHCP will configure
this. For SOCKS5, you probably will not require DNS on your LAN. SOCKS5 is supported by a
number of products; WWW Browsers and other specific client applications often use SOCKS4.

In WinGate, the SOCKS Server is able to recognize, and ‘hand over’ HTTP requests to the WWW
Proxy to allow caching, and HTTP-specific policies.

See also:

Adding a SOCKS5 Server

SOCKS Advanced tab

SOCKS Advanced tab

>> Click on the image hotspots for interactive popup help!

105
 The SOCKS server properties dialog has a unique tab, the SOCKS Advanced tab.
FTP Proxy

>> Click on the image hotspots for interactive popup help!

106
The FTP Proxy server allows use of FTP client applications that support the username@hostname
method of firewall traversal. Examples of this are WS_FTP, and CuteFTP, as well as command-line
FTP clients.

Port 21 is normally used for FTP.

The FTP service also allows you to connect through another firewall using the same mechanism.
Looking on the connection tab you will see an option for a cascaded proxy server. This is where you
can enter your external firewall details if you have one. Enter the name of the server (e.g. firewall) or
the IP and the port name, and the users name and password will be used to access the firewall.

Use of the SOCKS4 option on the connect tab allows a FTP client to do all its transfers via a SOCKS
server such as the WinGate SOCKS server. With use of encrypted mapped links, this allows secure File
transfer on the Internet.

See also:

Adding an FTP Proxy

107
Telnet Proxy

>> Click on the image hotspots for interactive popup help!

Since Telnet is inherently a command-line based service, there is no special setup for the Telnet client.
To use it however you must always first Telnet to the WinGate server on the port you set up for the
Telnet service. The standard port for Telnet is 23.

In WinGate there is an option: "Use login as required by system policies". If you select this option
and are not already authenticated or assumed you will be asked to login to Telnet:

Login:

Type your WinGate user name and hit the Enter key. You will then be prompted for your password:

Password:

108
Enter your password and hit the Enter key.

Once you have completed logging into Telnet proxy you will be presented with the prompt you have
specified, for example:

WinGate>

At this prompt, type in the name of the host you wish to connect (it is optional to specify a port number).
For example:

WinGate>ftp.freddy-anne.com

or

WinGate>ftp.billy-sue.com 1023

WinGate will display ‘Connecting to …’. When the ‘Connected’ message comes back, you are
connected through to the remote computer.

There have been a few changes with the WinGate telnet proxy, which affect telnet clients that issue
telnet commands (e.g. EWAN, simpterm, and UNIX clients). You may get a double-echo while you are
typing in the hostname you want to connect to. Once you are connected however, things should be
alright again.

Some clients may also have problems with hitting the Enter key. Try Ctrl-J or Ctrl-Enter. If that fails,
try running the telnet service on a different port number. This sometimes tricks telnet clients into
thinking they are not talking to a telnet server, and so they don’t send the telnet commands that may
confuse WinGate.

Note:

The telnet server has only one function - to connect you to a real telnet server. You cannot do any other
functions usually associated with telnet. If you are always telnetting to the same host, you should use a
mapped link instead - this will bypass having to type the host name in each time, and will allow full
telnet option negotiation.

109
 See also:

Adding a Telnet Proxy

Real Audio Proxy

>> Click on the image hotspots for interactive popup help!

The RealAudio Proxy is used for the RealNetworks’ RealPlayer client.

Port 1090 is the standard port for RealAudio.

See also:

Adding a Real Audio Proxy

Integrating WinGate with other servers

110
POP3 Proxy

>> Click on the image hotspots for interactive popup help!

A POP3 proxy may be required if you want to be able to check your mail through WinGate. The proxy
is configurable to connect to different ports, with 110 as the default. In the POP3 proxy properties, a
delimiter can be specified. This is usually the # symbol. The delimiter is used by WinGate as shown
below.

Change the setting for your POP3 server to the name of the WinGate server (e.g. "wingate"), and change
your POP3 username to the following:

POP3 username + delimiter + POP3 server.

For Example:

If my email username is

marybob

111
 and the mail server is

mail.qbik.com

then if I was using Netscape, MS Mail, or Pegasus mail, my user name in my email program should be
changed to

marybob#mail.qbik.com

and the mail servers (SMTP and POP3) to

wingate

If I were to use Eudora, the POP account would become

marybob#mail.qbik.com@wingate

So, if you are using Eudora, you simply replace the @ symbol with the delimiter you have chosen (e.g.
#) and add @wingate to the end. That is all you need to do.

Note, marybob#mail.qbik.com@wingate will be used as the default return address unless you
specify the correct one. ENSURE that your return address is your actual email address.

See also:

Adding a POP3 proxy

Advanced POP3 usage

Advanced POP3 Usage

The POP3 proxy handles :

<user><delim><host>:<port>

so, you can specify the port number you want WinGate to connect to. This is useful if you want to
connect to a POP3 server running on a non-standard port. For example, if you were running a POP3
server on the WinGate server on port 8110, and you were using Eudora, then your pop account in
Eudora would be

user#localhost:8110@wingate

112
 In this way, you can run a POP3 server on the same computer as WinGate, and still have access to POP3
servers on the Internet as well. Another way of doing this would be to use the non-proxy request
support of the POP3 proxy.

Furthermore, WinGate parses the delimiter from the end of the username. This means you can run
through multiple POP3 proxies.

e.g. A pop3 account in Eudora, of

user#popserver#wingate2:8110#wingate1@wingate

would cause Eudora to connect to wingate, and send the command

USER user#popserver#wingate2:8110#wingate1

Which would cause wingate to connect to wingate1 and send the command

USER user#popserver#wingate2:8110

which would cause wingate1 to connect to wingate2 on port 8110 and send the command

USER user#popserver

which would cause wingate2 to connect to popserver and send the command

USER user

Thereby connecting through a whole series of POP3 proxies.

VDOLive Proxy

Now WinGate users can enjoy live Video with the new VDOLive proxy server. This proxy works for
all versions of the VDOLive player 3.22 and later.

Adding a VDOLive proxy is easy.

113
 Steps:
1. Open the services branch on the Configuration pane
2. Right click on any service and select ‘NEW Service - VDOLive Service’
3. Type a name and Description, or accept the defaults
4. Select ‘Accept connections on port’, and type in the port number. This is usually 7000
5. Click OK, and you are done!

You may wish to run a VDOLive server and proxy on your network. To do this:
1. Click on the VDOLive Non-Proxy Requests tab, and
2. Enter the address and port number of the computer that your VDOLive server is running on.

See also:

Integrating WinGate with other servers

Xing Streamworks Proxy

WinGate includes a XDMA proxy to allow full access to the Internet.

Please note that Streamworks is no longer supported by Xing Technology Corporation.

Qbik recommend using the default port 8000 for this proxy. This needs to be configured in
Streamworks itself.

To Add an XDMA Proxy with WinGate:

1. In Gatekeeper: right-click on the Configuration pane

2. Select New /Service/XDMA Proxy

3. Accept the defaults or change the port number and click OK.

To Use the XDMA Proxy in Streamworks:

1. In the Streamworks player select Settings/Network...

2. Select the ‘Use Application firewall‘ checkbox

114
 3. Enter these settings :

1. Proxy Host: 192.168.0.1

2. Proxy Port: 8000

4 Click OK and you are done.

(Note, these settings are stored in the swplayer.ini file in the Streamworks directory)

See also:

Integrating WinGate with other servers

Mapping Services - Mapped links

>> Click on the image hotspots for interactive popup help!

115
Mapped Links are perhaps the simplest level of implementing a gateway.

Mapping proxies are not as flexible as the other proxies are. This is because they are a simple pipe-
through of the data. For this reason, you need to specify a remote host to connect to. Think of a
Mapped Link as a patch cord or pipe. You are effectively patching computers through to remote
computers, on specified ports. You can specify a remote host and port number for each individual LAN
workstation, or a default remote host and port, which would be used if the computer connecting to the
gateway did not have a specific map entry. It is important to remember that mapped links are usable on
any TCP/IP network, be it the Internet, a Company WAN or a home/office LAN.

WinGate TCP Mapped links monitor data passing through them and will display details for the session
data that forms the ‘link’. Currently TCP mapped links will display data from the following sessions in
the Activity Pane in GateKeeper:

SMTP Sending email

POP3 Retrieving email

NNTP Reading Internet news groups

HTTP Viewing web sites

FTP Accessing an FTP server

TELNET Connecting to a Telnet server

Any of these protocols that are used via a TCP mapped link will show some details in Gatekeeper
(obviously with the exception of any password related commands which will never be displayed). Extra
details will be displayed for HTTP, POP3 and SMTP.

Example: Using an SMTP Server Mapped Link

SMTP uses port 25. To use SMTP (in order to send email), you need a TCP mapped link to your SMTP
server. In the example above, a TCP link has been created to connect to ‘smtp.mailserver.com’ on port
25. If you follow the install instructions, a SMTP mapping will be created automatically.

Example: Using an Internet News Reader Mapped Link

News uses port 119. WinGate does not have a news proxy, so you have to use a mapped link. You have
to know what news server you want to use, and what port it is on. Say you choose news.cnn.com also
on port 119.

Setup a mapped link on port 119 with a default host of news.cnn.com, on port 119 and ensure that it is
enabled.

116
 When you want your news program to get your daily newsgroups, you ask it to connect to ‘wingate’, not
news.cnn.com, because WinGate has now become a connection to your news server: news.cnn.com on
port 119.

If you access the port for news, you will be communicating with the news server via WinGate. The
News program doesn’t know or need to know this, all it cares is that WinGate appears to be a news
server. WinGate does not even know what protocol is running over the link, only the client and server
need to know this.

The ports used for mapping sometimes want to be used in different ways by different people. For this
reason, WinGate has a Mapping by user or location. E.g. some users may wish to use a certain news
server, and others may wish to use another. If this is the case, you need to add specific mappings. To
add a mapping, you choose the mappings tab, add a mapping, and enter the values for the server and port
and the conditions under which (i.e. for who / where from) WinGate will use this new server and port
rather than the default.

Timeouts

For TCP based services (i.e. anything except DNS, XDMA, and UDP Mappings) the session timeouts
are really only there as a safeguard against problems. In the normal operation of a session, it will
terminate when it has done its stuff. However, sometimes connections can be left open when nothing is
happening, and so the timeouts are there to terminate those sessions, so that they don't do things like
holding the modem up.

For UDP-based (UDP Mappings, DNS etc) sessions however, the timeout is the ONLY way a session
will ever terminate, as there is no connect and close for a UDP socket, so no indication is made of when
a session is completed.

Adding Mapping services

Mapped Link Advanced Features

117
The mapped links are in some ways more limited than the other proxies, but more flexible in others.

• Mappings can be based on individual user needs. Configurations can differ per user, location or
Dialer Profile.
• The TCP mappings have the option of encryption. Encryption is the process of making data secure
by making it extremely difficult for anyone but the intended user to understand.

Encryption in WinGate

WinGate can use encryption in the mapped links to make a secure data channel for WinGate-to-WinGate
mapped links. Consider this situation. Many companies have Mail, telnet, HTTP or FTP servers for
employees and clients to access at will. Commonly this is sensitive information. These servers are text
driven programs and, like mail, when you send the password, it is transmitted in the clear. That means
anyone with the ability to sniff your packets on the Internet can get hold of your passwords, and
intercept data. For this reason, many companies requiring secure remote access to their servers have
leased lines or dial in servers so that the communications do not take place over the Internet. This can
be very expensive.

This is where WinGate comes in. WinGate can encrypt all the data you send from your LAN computer
to the Internet or external network. It sends the data to another WinGate server, and the data is
decrypted. This only works with mapped links. This can provide access for telnet, HTTP, email and

118
 others. Using encrypted mapping proxies, a company can provide secure access to their file server, and
mail, and terminal programs.

Adding an encrypting mapped link

1. Add a TCP mapped link, use a suitable name such as ‘Encrypting TCP link’
2. Select a port. It is usually safe to use port numbers above 10000
3. Select the Encryption tab
4. Select the Incoming or Outgoing encryption option
5. Enter details according to your needs.

Example 1 - secure access to files servers

A company has two offices, one in Auckland, another in Melbourne. They want to be able to access the
files on the Melbourne file server across the Internet securely.

Steps: from Melbourne in Australia.

1. Run an HTTP server on the file server
2. Put in a mapped link in the Melbourne WinGate, say on port 3080, which maps through to the
HTTP server on the file server.

Steps: from Auckland in New Zealand

Put in an encrypted mapped link on port 3080, which maps through to the Melbourne WinGate on port
3080.

Now to browse and retrieve and upload files, a user simply uses a WWW Browser, and types in the
URL

http://wingate:3080

The browser will then connect to the WinGate in Auckland, which will make an encrypted connection
to the WinGate in Melbourne, and plug through to the HTTP server. Using directory browsing on the
HTTP server, the Netscape user in Auckland can easily browse files, and download them. If your HTTP
server supports the PUT method, you can even upload files to the server, giving you basically full
access throughout the browser.

Example 2 - secure Unix access

119
 A company has a Unix server on which they run their order-entry system. They want to provide secure
access to this system over the internet so that their staff in remote offices (or even from home) can work
on the server securely.

Step: Main office

1. Set up an encrypted mapped link on say port 3023 which plugs through to the Unix telnet
server on port 23.

Step: Remote office

1. Set up an encrypted mapped link on say port 3023 which plugs through to the main office
server on port 3023.

To connect securely to the main office server, the users simply telnet to WinGate on port 3023. They
will then be presented with the logon prompt of the Unix computer in the main office, but all
communications are encrypted.

DNS Server

>> Click on the image hotspots for interactive popup help!

120
For anything to work at all, the WinGate server itself must have a working DNS setup. For the rest of
your LAN, that will be accessing the Internet through WinGate, you have the option of setting it up or not.
Qbik recommend using the WinGate DNS server as it integrates with the WinGate DHCP Server to
provide computer name lookup.

The following are the main reasons why you may want to set up DNS on your LAN:

• You want to use SOCKS4 to access FTP or Gopher or HTTPS URLs in a browser.
• You want to run some other SOCKS4 capable software.
• You have a large LAN and you want name resolution for the computers on your LAN.
• You want to be able to refer to 'wingate' in your client setup.

None of the proxies in WinGate other than SOCKS require DNS to be working on the computers on your
LAN.

One of the quirks of the SOCKS4 protocol (fixed in SOCKS5) is that a request for a connection is made
in the form of a request for connection to an IP number. This means that a SOCKS4 client needs to be
able to look up addresses in order to supply this IP number to the SOCKS4 server.

121
For this reason, the DNS server was added to WinGate. If you already have DNS on your internal
network, and it has sufficient scope to resolve all the names you wish to connect to, then you will not need
to run the DNS server in order to use the SOCKS server. You should not enable the DNS server in
WinGate if you are already running a DNS server on the same computer - this will mess up your DNS
server.

See Also:

Disabling the WinGate DNS Service

DNS Options

Remote Control Service

>> Click on the image hotspots for interactive popup help!

WinGate is completely controlled and configured using a remote administration tool called GateKeeper.
GateKeeper communicates over an encrypted TCP/IP link with WinGate for all configuration,

122
monitoring, and control. The service that provides this access in WinGate is the Remote Control Service
(RCS). Gatekeeper is used for configuration but is not essential for Internet access itself.

The service provides the ability to configure WinGate from any computer on the network if you have a
Pro license.

The service itself is installed and started when WinGate is installed. If for any reason the service is
removed or becomes corrupted, WinGate will reinstall the service with default settings.

The RCS has various configuration tabs, though few changes will be necessary.

The default port is 808. This is the port on which the RCS listens so that GateKeeper can connect.

The RCS is used by any client that wishes to authenticate with WinGate, including GateKeeper, the Java
Client (via a Web browser) or any third-party designed applications that use a Qbik-provided DLL for
authentication.

RCS sessions are indicated in Gatekeeper with a Key icon.

Click here to learn more about configuring the WinGate server to accept a remote connection.
Adding a WWW Proxy Server

Adding a WinGate WWW Proxy Server is simple.

1. Open the services branch on the Configuration pane
2. Right click on any service and select ‘New Service - WWW Proxy Service’
3. You will be presented with a service properties dialog
4. Type in a name and description for the service, or use the default
5. Type in the port to use, or accept the default.

Please note that all services must have distinct names.

You can choose to accept the defaults for the advanced options, or configure them yourself.

123
You may wish to run an HTTP server on your network. To have it accessed back through WinGate from
the Internet or your local LAN as though WinGate were an_ HTTP server:

Click on the Non-Proxy Requests tab, select "Pipe through to predetermined server" and enter the
address and port number of the computer that your HTTP server is running on. You also have some other
options for what to do if the WWW Proxy receives a standard (non-proxy) HTTP request.

See also:

Non-Proxy-Request tab

WWW Proxy Server

Adding a SOCKS 5 Server

Adding a WinGate SOCKS 5 Proxy Server is simple.

1. Open the services branch on the Configuration pane
2. Right click on any service and select ‘NEW Service - SOCKS Service’
3. You will be presented with a tab-control configuration box
4. Type in a name and description for the service, or use the default
5. Type in the port to use, or accept the default.

Note that all services must have distinct names.

You can choose to accept the defaults for the advanced SOCKS options , or configure them yourself.

See also:

SOCKS5 server

Adding a POP3 Service

Adding a WinGate POP3 Proxy Server is simple.

1. Open the services branch on the Configuration pane.
2. Right click on any service and select ‘NEW Service – POP3 Proxy Service‘.
3. You will be presented with a tab-control configuration box.
4. Type in a name and description for the service, or use the default.

124
 5. Type in the port to use, or accept the default. You are finished unless...
6. If you have a POP3 Server on your network, select Non Proxy Requests.
7. Select ’Pipe to.‘. and type in the name or IP of the computer with the mail server.
8. Enter the POP3 port of the mail server.

Note: all services must have distinct names.

You can choose to accept the defaults for the advanced options, or configure them yourself.

You wish to run a POP3 server on your network. To have it accessible through WinGate from the
Internet or your local LAN as though WinGate were a POP3 server, you should click on the Non-Proxy
Requests tab, and enter the address and port number of the computer that your POP3 server is running on.

See also:

Non-Proxy-Request tab

Adding a Telnet Proxy

Telnet Proxy generally uses port 23.

To Add a Telnet Proxy:

1. Open the services branch on the Configuration pane.

2. Right click on any service and select ‘NEW Service - Telnet Service’

3. Select ‘Accept connections on port’, and type in the port number. This is usually 23.

4. Click OK, and you are done!

Adding a FTP Proxy

It is simple to add an FTP Proxy in WinGate. FTP uses port 21.

125
To Add a FTP Proxy:

1. Open the services branch on the Configuration pane

2. Right click on any service and select ‘NEW Service - FTP Service’

3. Select ‘Enable connections to proxy on port’, and type in the port number. This is usually 21
unless you have a FTP server running on that port. In that case try port 140

4. If you have an external firewall, enter the host and port details and check the "Use firewall"
option

5. Click OK, and you are done!

You may also run an FTP server on your network and have it accessible through WinGate from the
Internet or your local LAN as though WinGate were an FTP server. If so:

Click on the Non-Proxy Requests tab, and enter the address and port number of the computer that your
FTP server is running on.

Disabling the WinGate DNS Server

You can use the WinGate DNS Server, or a UDP Mapped Link on port 53 for DNS. The WinGate DNS
Server will be installed and started by default.

Disabling the WinGate DNS Service:

1. Open WinGate DNS Service from GateKeeper

2. On the General tab "startup options" select "disabled"

3. Click OK to close the DNS service dialog

4. Right click on the DNS service in GateKeeper and select "Stop" from the context menu. This
will stop and unbind the service from the interface.

See also:

DNS Server

DNS Options

126
Adding a Mapped Link

Adding a Mapped Link, Mapping Proxy, or Mapping service (they all mean the same thing) is simple.

To add a Mapped link in WinGate follow the steps below. Remember that a mapped link can connect to
one computer only, so you have to know which computer you are going to connect to, and the port you
are going to use.

First, select the Socket type. This is probably going to be TCP, but some applications use UDP (i.e. DNS)
and will tell you so.

Then, follow these steps:

1. Open the services branch on the Configuration pane

2. Right click on any service

3. Select ‘NEW Service - TCP (or UDP) Mapping Service’

4. Select ‘Enable connections on port’

5. Type in the port number to use on the local computer

6. Select ‘Enable default remote host’

7. Type in the name of the remote computer (e.g. news.iprolink.co.nz)

8. Type in the port to use on the remote computer *

9. Click OK and you are done.

* This is nearly always the same as you put in Step 3.

Common Mappings

Here are some typical mappings, and what they are used for.

127
 Service Port What to do

Internet/Usenet News 119 Setup a TCP Mapped link on port 119, mapped to
your news server on the same port.

IRC Chat 6667 Setup a TCP Mapped link on port 6667, mapped to
your IRC server on the same port.

SMTP Mail (sending mail) 25 Setup a TCP Mapped link on port 25, mapped to
your SMTP Mail server on the same port.

* DNS Service Mapping 53 Setup a UDP Mapped link to a DNS Server

(probably your ISPs) on port 53. This is an
alternative to using the WinGate DNS Service.

See also:

Adding specific mappings

Adding Specific Mappings

128
Having a default mapping means that any computer on your network that connects to that port number
will be put through to the computer name you specified. You may not want this. One person may want to
connect to a different server on that port. You can setup specific mappings based on IP’s, Users or
Dialers. These links are shown on the mappings as in the above picture.

Mapping by IP address

E.g. Jon uses the computer 192.168.0.5. He likes to use news.cnn.com instead of the default. Follow
these steps to change his mapping.

1. Edit the Mapped link in the Configuration pane

2. Click Mappings then Add. You get a new dialogue box

3. Type in the Server to map to (news.cnn.com in our example)

4. Type the port to connect to use, this will be 119 for news

5. Click Location and specify 192.168.0.5

Finally, click Done and the Mapping will be saved.

Mapping by User name

E.g. Bobby-Sue uses smtp.mail.com instead of the default SMTP server. Follow these steps to change
his mapping.

1. Double click the Mapped link in the Configuration pane

2. Click Mappings then Add. You get a new dialogue box

3. Type in the Server to map to (smtp.mail.com in our example)

4. Type the port to connect to use, this will be 25 for SMTP

5. Click User and Specify Bobby-Sue

Finally, click Done and the Mapping will be saved.

Mapping by Dialer profile

If you have two dialer profiles, using two different ISPs, you may well need to configure different SMTP
servers to be used depending on which profile is online.

1. Double click the SMTP Mapped link

129
 2. The Default Mapping should be to the SMTP server of the first ISP

3. Click Mappings then Add. You get a new dialogue box

4. Tick the ‘Dialer Dependant’ option and select the second ISPs profile

5. Type in the Server name for the SMTP server of the second ISP

6. Type the port to connect to use, this will be 25 for SMTP.

Finally, click Done and the Mapping will be saved.

For Example:

Adding a Real Audio Proxy

To add a RealAudio Proxy Service:

1. Open the services branch on the Configuration pane.

2. Right click on any service and select ‘NEW Service - Real Audio Service’.

3. Type a name and Description, or accept the defaults.

130
 4. Select ‘Accept connections on port’, and type in the port number (usually port 1090).

5. Click OK, and you are done!

You should note that the RealAudio player defaults to port 1080 for their proxy configuration. This is
normally used by the WinGate SOCKS service, and so you should make sure when configuring your
RealAudio player, that you specify the port number you have chosen for the RealAudio proxy service in
WinGate.

You may wish to run a RealAudio server on your network as well. To have it accessible back through
WinGate from the Internet or your local LAN as though WinGate were a RealAudio server, you should
click on the Non-Proxy Requests tab, and enter the address and port number of the computer that your
RealAudio server is running on.

See also:

Integrating WinGate with other servers

InterQuick Plug-in Integration

InterQuick (IQ)™ can now provide faster access and more control to web content for WinGate Internet
users. It combines two powerful Web acceleration tools, IQfetch™ and IQschedule™, with two Web
content filtering tools, IQfilter™ and IQblock™. In addition to these tools, web surfing is further
streamlined with an advanced Web and DNS cache.

Now that InterQuick can act as an integrated WinGate plug-in, these benefits can be extended to all
Internet users across your local network. When acting as a WinGate plug-in, InterQuick provides the
following features network-wide:

 IQfetch™
Takes advantage of idle Internet connection time and unused bandwidth to preemptively load and
cache Web pages that are linked to from the Web page a user is viewing. Once requested, these pre-
loaded Web pages are available from the InterQuick cache at faster speeds.

 IQschedule™

131
 Allows users to download favorite Web pages automatically at scheduled times, resulting in
instantaneous Web page viewing when the user requests the page.

 IQfilter™
Removes unnecessary Web page content, such as banner advertisements or sound files, from Web
pages. This feature not only reduces Web page download times by saving bandwidth, it also minimize
distractions on Web pages and streamlines the access of Web content.

 IQblock™
Restricts access to undesirable Web content, an excellent tool for parents or employers that want to
ensure safe and productive Internet usage.

InterQuick is available as a complimentary plug-in from http:///www.wingate.com/plugins (cut and

paste this link into your web browser).

SMTP Proxy Service

>> Click on the image hotspots for interactive popup help!

132
 How to Access This Control:

From the GateKeeper Control Panel: From the Service tab select SMTP Proxy.

The SMTP Proxy Service allows local network and Internet users to send mail through WinGate. In the
past this could be achieved with a TCP Mapped Link , but the proxy provides an active layer of
functionality. This layer allows you to process both incoming and outgoing email before it reaches the
intended recipient.

You can view the results of the SMTP Proxy in:

• • GateKeeper History (note that a single entry is added for a bulk mail send or receive). Message
subjects are not recorded to protect privacy.
• • System Messages – these will be generated whenever a message is dropped or silently discarded
because the sender or recipient was not a member of a local domain.
• • SMTP Proxy log files –entries are generated when a message is dropped because of an incoming
mail filter (message size or number of recipients). See the explanation of these options for more
detail.

What Benefits Does It Provide?

133
As with all proxies, the SMTP Proxy allows you to run an Internet-based service (in this case SMTP) on a
computer that is not directly connected to the Internet. Because it operates between the sender and
receiver it provides the following features:

• • Spam protection by defining local domains and filtering messages on criteria such as ‘senders
address’, ‘recipients address’ and ‘number of recipients’ (Learn More… )
• • Define email address aliases for both incoming and outgoing email (Learn More… )

How to Setup the SMTP Proxy Service

Click here to learn about setup and configuration.
SMTP Proxy Setup

There are many different ways for configuring an email service.

Links below show you how to make the SMTP Proxy Service work for your email setup – this includes
protecting you from spam and providing email address aliases .

You may like to read up on some of these topics before setting up the proxy:

How email sending & receiving works (via SMTP)

What is email spam?

Select the type of email setup that you currently use on your network:

I use my own SMTP server that runs on the local network.

I use an SMTP server running somewhere on the Internet.

Configuring the SMTP Proxy for Local SMTP

Servers

If you are running your own SMTP server then it will either be on the gateway PC (like WinGate), or on
another computer somewhere on the private network. Either way, you must configure it to work with the
SMTP Proxy to benefit from features such as spam-filtering and aliases.

SMTP Server on the Gateway Computer (with WinGate)

134
The SMTP Proxy must listen on port 25 on the external interface – however your SMTP mail service will
also try to bind here (since they are both designed to receive email).

Follow these steps:

1. Set the SMTP server to run on a different port i.e. 2525 is typical.
2. On the general tab of the SMTP Proxy (above) enter:

(a) Inbound Email : Set the internal server to 127.0.0.1 and the port to 2525 (or whatever you
set it to run on in step 1). Once the SMTP Proxy has filtered the inbound email it will forward
it on to your usual SMTP server.

(b) Outbound Email : Set the internal server to 127.0.0.1 and the port to 2525 (or whatever
you set it to run on in step 1). Once the SMTP Proxy has filtered the outbound email it will
forward it on to your usual SMTP server for delivery.
3. Configure the bindings (this is a tab for the service) – if you have mobile users or users working
from home then they will be connecting to the mail server from the Internet. You should
configure the bindings to listen on ‘All Interfaces’.
4. Alternatively, if you will only be sending email from within the LAN then configure bindings
to only accept local connections (i.e. localhost and the private IP address of the WinGate PC).
5. Select OK.
6. Save changes in GateKeeper (not necessary if AutoSave feature is enabled).

SMTP Server on another PC on the Local Network

If this was the case, then inbound email must have had some way of directly connecting through WinGate
– this was probably a TCP Mapped Link. In order to work with the SMTP Proxy you will have to first
remove the mapped link.

135
Then follow these steps:

1. On the general tab of the SMTP Proxy (above) enter:

(a) Inbound Email : Set the internal server to the IP address of your SMTP server (e.g.
something like 192.168.*.*). Once the SMTP Proxy has filtered the inbound email it will
forward it on to this IP and port.

(b) Outbound Email : Set the internal server to the IP address of your SMTP server (e.g.
something like 192.168.*.*). Once the SMTP Proxy has filtered the outbound email it will
forward it on to your usual SMTP server for delivery. If this server is
2. Configure the bindings (this is a tab for the service) – if you have mobile users or users working
from home then they will be connecting to the mail server from the Internet. You should
configure the bindings to listen on ‘All Interfaces’.
3. Alternatively, if you will only be sending email from within the LAN then configure bindings to
only accept local connections (i.e. localhost and the private IP address of the WinGate PC).
4. Select OK.
5. Save changes in GateKeeper (not necessary if AutoSave feature is enabled)

In the past this was handled by a mapped link through to the server. However, this did not provide any
ability to process email before it reached your mail server (and hence was already within your network).

Next Steps:

Configuring WinGate to protect you from Spam

Configuring WinGate to provide email aliases

Configuring the SMTP Proxy for Remote SMTP

Servers

136
If you do not manage your own SMTP server then you will be using somebody else’s to send and receive
email. Typically this will be an Internet Service Provider (ISP), but it may be the head office of your
organization or whatever.

This means that you will never have email arriving directly at your LAN. Even when you check your
email, the email has already been delivered and is simply waiting for you to check it. When you do, you
use the POP3 program to download it. Therefore, you should disable the "Support inbound mail via
Internal mail server".

Follow these steps:

1. On the general tab of the SMTP Proxy (above) enter:
(a) Outbound Email : Set this to point to the domain name or IP address of the SMTP server
you are using. If you are using an ISP or another organization then this will typically be defined
as smtp.<ISPname> or mail.<ISPName>. This is so that mail sent from your network can be
relayed in the right direction on the Internet.
(b) Inbound Email : Disable this option.
2. Configure the bindings (this is a tab for the service) – if you have mobile users or users working
from home then they will be connecting to the mail server from the Internet. You should
configure the bindings to listen on ‘All Interfaces’.
Alternatively, if you will only be sending email from within the LAN then configure bindings to
only accept local connections (i.e. localhost and the private IP address of the WinGate PC).
(Note On Logging Remote Users: Continuing to route remote users through WinGate rather
than directly at an ISP is useful since their activity will be reflected in your WinGate activity,
history and logs)
3. Select OK.
4. Save changes in GateKeeper (not necessary if AutoSave feature is enabled).

What Is Email Spamming?

Spamming refers to distribution of email (normally all unsolicited and lots of it) through somebody else’s
SMTP server.

An SMTP server is typically setup by an organization to send and receive email for the employees of that
organization. This includes ISP’s (Internet Service Providers) who sell the ability to send and receive
email for their customers. To achieve this the SMTP server is normally associated with one or more
domains (many in the case of an ISP) for which it sends and receives email for.

137
How Does Spam Occur?

Spamming occurs when an SMTP server sends (or "relays" as it is called) email for a user that does not
belong to the local domain – this is called "open-relay". Spammers quickly find open-relay SMTP
servers (often lists of these are published on the Internet) and use them to send a single message to
thousands of recipients.

Spamming is a very cheap and effective method for reaching thousands of people because:
• Somebody else pays for the data traffic required to send so many emails;
• They remain anonymous since the messages are sent from a server that they normally have nothing
to do with (even trying to track the spammer from the victim SMTP server is usually fruitless since
the spammer will typically "fake" their original IP).

WinGate Spam Protection

>> Click on the image hotspots for interactive popup help!

138
The SMTP Proxy Service can protect you from Spam in several ways (if you do not know what spam is
and how it works click here first):

Incoming Mail Options

Click on the image hotspots for interactive help.

Relaying and Local Mail Domains

You can specify a list of "Local Mail Domains" – only users who are members of one (or more) of these
domains will be able to send and receive through this proxy. WinGate verifies this by checking the email
address of both the sender and recipients (via the "MAIL FROM" and "RCPT TO" commands
specified in the SMTP protocol).

If the mail sender / recipient is not a member of a "local mail domain", you can configure the proxy to:
• Allow Relaying – Permits open relaying of email (spamming)
• Reject Relay Attempts – Rejects the message and notifies the sender
• Silently Discard Relay Attempt – Rejects the message but does not notify the sender (annoying for
the spammer since they think their message was successfully dispatched)

Related Topics:

Setting up email address aliases with the SMTP Proxy

How email sending & receiving works (via SMTP)

Configuring WinGate and your SMTP email server

Using Email Aliases

>> Click on the image hotspots for interactive popup help!

139
 How to Access This Control:

From the GateKeeper Control Panel: Pick the Service Tab & select SMTP Proxy.

‘Email Address Aliases’ allow you to specify more than one email address for a single user. They work
for both incoming and outgoing mail to provide the following advantages. It is simple – any email
directed at the "original recipient" is sent to the "Change to" recipient. The SMTP Proxy will actively
change the TO: address before it reaches the actual SMTP server (so it will work for both incoming and
outgoing email).

Note that you will only be able to use inbound email aliases when you are running an SMTP server on
your own local network.

Where to Use Aliases Effectively

(a) Best-Guess Email Addresses

For a single email user John Thompson at the domain myworkplace.com you can setup aliases like:
john@myworkplace.com, johnt@myworkplace.com, john.thompson@myworkplace.com,

140
jt@myworkplace.com etc etc This allows best-guesses to reach their intended recipients on the first
attempt.

Tip: This feature will only work when you have your own SMTP server setup on the gateway or on
another computer on your local network (not at an ISP or elsewhere on the Internet).

(b) Eliminate Need for Extra Email Accounts

Aliases also work well for standard accounts (such as webmaster, postmaster, administrator, info, help,
support) – rather than creating a separate email account to be checked, simply forward these to the
appropriate persons ordinary mail account via an alias.

Tip: This feature will only work when you have your own SMTP server setup on the gateway or on
another computer on your local network (not at an ISP or elsewhere on the Internet).

(c) Auto-Forwarding to a New Address

Changing your email address is not uncommon. It is simple to define an alias that forwards any email
directed at an old email address on to a new one. It is ideal for allowing you to forward emails addressed
to old employees onto the new person (or anybody else who no longer is a member of the domain).

Tip: This feature works best for incoming mail from the Internet so is only effective when you have your
own SMTP server setup on the gateway or on another computer on your local network (not at an ISP or
elsewhere on the Internet).

(d) Same Role, Changing Email Address

Sometimes many users on a network will need to email a person who is temporarily filling a particular
role e.g. travelling salesman for the month, employee of the week. Rather than update each person with a
new email address, you can configure "outbound" email aliases so that users on your network can always
email the same address. This means that the address needs to be changed in once place only (i.e. edit the
existing alias).

Related Topics:

%!JumpId(WINGATE.HLP,WinGate_Spam_Protection) WinGate Spam Protection

%!JumpId(WINGATE.HLP,How_SMTP_Works) How email sending & receiving works (via

SMTP)

141
 %!JumpId(WINGATE.HLP,SMTP_Proxy_Setup) Configuring WinGate and your SMTP email
server

How SMTP Works

SMTP is an acronym for Simple-Mail-Transfer-Protocol and is frequently referred to on the Internet.

This basic protocol spells out the rules for what computers need to do to send and receive email around
the world. Typically the send and receive functions are implemented by different services and we explain
how these work below.

How SMTP Sends & Receives Email over the Internet

A single SMTP server will typically provide both sending and receiving functions for email.

Sending Email – When you click "SEND" from your email program (whether it is Eudora, Outlook,
Pegasus or whatever), the program begins talking to the SMTP server that you have specified in settings.
It identifies itself (and this can easily be spoofed) and proceeds to send the message. This involves
specifying who to send it to (including to:, cc:, bcc:) and then sending the data (this includes the reply to
address, subject, content and basically everything else).

The SMTP server finds out where to send it by performing a special DNS name look up on the email
address e.g. for max@qbik.com the SMTP server would do a lookup on the domain qbik.com. The
lookup is special because it specifically request the MX record associated with that domain (the MX
record states which IP address manages email for the given domain). Once it has this IP address, the
SMTP server connects to it on port 25 and repeats the same commands and data that were originally sent
to it by the email program.

When one SMTP server forwards email to another this is called "relaying". Email should only be
"relayed" when the sender of the message belongs to the domain that that server accepts mail for.
However many SMTP services are not particularly intelligent so will allow any users to use them to
forward thousands of email to anyone on the Internet – this is called "Spamming". Click on this link to
learn more about Spamming.

Receiving & Delivering Email – An SMTP service typically runs on port 25 and waits to receive email
for one or many domain(s).

If it is your own SMTP server then it should be configured to accept email for whatever domains you own
and use (e.g. the smtp server for Qbik New Zealand limited receives and delivers email for employees of
Qbik. However, most people use the SMTP service of their ISP (Internet Service Provider) which is
configured to receive and deliver email for any domains owned by their customers.

142
Related Topics:

What is email "Spam" and how does it occur?

Setting up the SMTP Proxy to work for you

Add/Remove/Edit Alias

Add: Allows you to configure a new alias for an existing email address;

Remove: Removes the selected email alias;

Edit: Allows you to edit the properties of the selected alias.

Limit Message Size

Many ISP’s charge for the amount of data sent through them to the Internet. You may choose to restrict
the maximum size for an incoming message! (WinGate will not restrict outgoing emails). Note that the
message header/control fields which are normally 20k (so you should allow for this when configuring
your policy on email size).

How Can I Tell When It Worked?

If a large message is dropped neither the sender, intended recipient or WinGate administrator is notified
(there will be an error code 2 entry in the SMTP Proxy log file).

Limit Number of Recipients

This basic approach is effective in that it makes your SMTP server an unattractive option to a spammer.
This is because "spammers" typically rely on open-relay mail servers to relay their message on to many
thousands recipients from a single send.

However, it does NOT prevent local users from sending an outbound message to as many recipients as
they want. This way "spammers" are restricted but your local users are not.

143
How Can I Tell When It Worked?

If a message is dropped because it had too many recipients, neither the sender, intended recipient or
WinGate administrator is notified (there will be an error code 2 entry in the SMTP Proxy log file).

Outbound Mail Options

You can choose to let the WinGate SMTP Proxy filter inbound messages, outbound messages or both.
Specify the domain name or IP address of the outbound server (the port will typically 25).

To learn about configuring this for your network, click the link at the foot of the topic.

Inbound Mail Options

You can choose to let the WinGate SMTP Proxy filter inbound messages, outbound messages or both.
Specify the domain name or IP address of the inbound server (the port will typically 25).

To learn about configuring this for your network, click the link at the foot of the topic.

Bindings Tab
Bindings are a key part of every service. They determine whether your WinGate Service is ‘visible’ or
‘available’ for users on the LAN, the Internet or both.

Click here to learn more about configuring WinGate Service ‘bindings’

Sessions Tab
‘Sessions’ are created by WinGate Services – they represent the actual activity created when a service is
currently being used. Most services allow you to specify options for sessions.

Click here to learn more about configuring WinGate Service ‘sessions’.

Interfaces Tab
Interfaces are a key part of every service. They determine how the service accesses the Internet for any
outgoing connections (eg Modem, ISDN, Both etc).

Click here to learn more about configuring WinGate Service ‘interfaces’

Policies Tab
The policies tab allows you to create per-service policies. These rules and restrictions apply to access of
that particular service.

Click here to learn more about configuring service-level policies

144
Logging Tab
The logging tab allows you to set some options for logging. Each service has a log file (readable from
any text editor) that is created in the WinGate\Logs folder by default.

Click here to learn more about service logging

Non-Proxy Tab
The Non-Proxy tab is only available for some services. It allows you to handle any direct connections to
the service specially (ie connections made by a client application not configured to use proxies).
Typically this will be connections from the Internet.

To learn more about non-proxy requests click here.

Java Check Box

This will enable authentication for the WWW Proxy via the browser-based Java Client (ideal for non-PC
users).

Click here to learn more about Java authentication

Information

You can view the following general information from these links:

• WinGate FAQ
• WinGate Tested Software
• WinGate Licensing
• Contact information
• About Qbik New Zealand
• How to use WinGate Help effectively

WinGate FAQ

For those of you who don’t know what the FAQ is, here is our first question:

What is the FAQ?

An FAQ is a list of Frequently Asked Questions. The WinGate FAQ contains questions that often arise
for new and existing users of WinGate. If the Manual hasn’t answered your questions or solved your
problem, then the FAQ is the next place to look.

145
Where is the FAQ?

The WinGate FAQ and Knowledge base is now located online at

http://wingate.deerfield.com/support/

Open a browser and enter the address above.

WinGate Tested Software

The following software has been tested and works with WinGate proxies. If you are using WinGate with
an application that is not listed here, please mail us.

Microsoft Netscape Other

WWW Internet Netscape Pointcast Network

Browsers Explorer Navigator
NCSA Mosaic
FrontPage Communicator
Explorer (PC Web Snake
and Alpha)

Internet
Assistant

IRC Netscape Chat WS IRC

Mirabilis ICQ

mIRC

News Microsoft Netscape News Win VN

News
Forte Free agent

News Express

FTP FTP WS FTP

Cute FTP

FTP Outbox

Netload

FTP Explorer

Web Snake

FTP Voyager

146
 Email Microsoft Mail Netscape Mail Email Connection Ak Mail

Exchange Pegasus Mail Axio eGo

Outlook Eudora Calypso

MailMonitor Click mail

Post Mark DMail

DTS Mail Mail Butler

Attendant Mail Cat

Re:Ply Send Mail

Transoft Teca Mail

Transoft

Mail Servers Exchange MailCoach Firstclass

NTMail FTGate

EMWAC SLMail

MDaemon Post Office

Video clients Vxtream VDOLive

Streamworks

Time Clients Socketwatch

AtomTime

Dimention4

Other Proxy Server Proxy Server RealAudio AOL

IIS Game Zone ZMUD

Sockcap32 MailMonitor

AutoSocks NTMail Auto Dial

MSN Athena

CompuServe – CISMail - WinCim –

CIS

Licensing in WinGate

147
 The WinGate license you enter will determine two important things:

• Whether WinGate will run in HOME, STANDARD or PRO version mode

• How many users WinGate will allow to share the Internet connection at once.

The way WinGate Licenses work has changed a little in WinGate. We have made it easier for you to
evaluate WinGate’s HOME, STANDARD and PRO versions with a free 30-day trial licence.

I would like to trial WinGate for FREE before making a purchase?

When installing WinGate users may select a FREE 30-Day Trial License for PRO, STANDARD or
HOME. Users are no longer required to apply for a trial key and may start using the software
immediately.

This enables you to run a full-featured version of WinGate on your network with any license and any
number of users for 30 days.

After 30 days (from the day it is first installed) this trial key will expire. At this point you can purchase a
license to continue using our product (while retaining all of your existing setup) – no re-installation is
required.

I would like to purchase a license for WinGate?

Choosing between WinGate Home, Standard or Pro. This depends entirely upon the features that you
want to use (though if you want to have more than 6 licenses you will not be able to use WinGate Home
on your network).

Choosing a suitable number of licenses. This is entirely dependent on the size of your network, and
how frequently your users will be using the Internet once they have access. If your users will be
permanently connected the Internet all of the time then they will require a separate license each. On the
other hand, if they use it intermittently and at different times of the day then you can probably share a poll
of licenses between them (WinGate will share these on a first-in-first-serve basis).

You can purchase the following licenses for each version of WinGate:

Number of Users

HOME STANDAR PRO

148
 D

3 √ √

6 √ √ √

12 √ √

25 √ √

50 √ √

Unlimited √ √

Note that bandwidth (performance of the connection) is NOT related to the license count. Some people
use the license count as an easy way to make sure that each user is receiving a sufficient amount of
bandwidth. WinGate limits computers, but not bandwidth per computer. If you are having bandwidth
problems, it may be because one or more users are using a large proportion of the available bandwidth for
some activities.

How Does WinGate Count Licenses?

WinGate licenses are based on the number of computers connected to the Internet with WinGate at any
one time. When a computer attempts to connect to the Internet, WinGate records it’s unique private IP
address and counts this as one connected user. The number of connected users permitted by WinGate will
depend on the size of the license that you purchase. WinGate will accept connections from (and hence
provide Internet access to) only the licensed number of computers at any one time. However, bear in
mind that the Wingate server will always count as the first license.

Note About License Counts:

You should note that this license count includes computers connecting from anywhere, not just your LAN,
so if you are allowing access to Internet users (e.g. access to a web server running on the local network)
then you need to allow for these users as well. However, the license count excludes DHCP clients. This
means any licensed version of WinGate will provide full DHCP to any number of clients.

Contact Information

You can get technical support from the dealer from whom you purchased WinGate. For purchasing, if
you have obtained a trial key for WinGate, you should purchase your license from the dealer who
provided your license.

All other contact for WinGate is handled by the official WinGate publishers, Deerfield.com at the
following URL:

http://www.wingate.com

149
Sales inquiries may be made to sales@wingate.com

Other inquiries may be made to info@wingate.com

or alternatively by telephone, on (1) 517 732 8856 (Business hours US Eastern Standard Time)

Documentation for WinGate is being revised and improved continuously. Please visit the WinGate web
site occasionally for updated documentation and other information.

A full list of WinGate dealers, searchable by country is available at the following URL:

http://www.deerfield.com/resellers
About Qbik New Zealand Limited

WinGate is owned and developed by Qbik New Zealand Limited - a software

development company specializing in innovative Internet software solutions. Our main
office is in Auckland, New Zealand. You can find out more about Qbik and our other
products on our web site at: http://www.qbik.com

For any online WinGate support, you should see the following web site (for sales and any other general
inquiries refer to the Contact information): http://www.wingate.com

For sales, support, and general inquiries, see the Contact Information.

Development Quality Assurance & Project

Documentation Management

Adrien de Croy Matt Mahoney Joanne Crang

Lyle Bainbridge Stephen O’Boyle Nick Egerton

Zan Oliphant Dean Broers

Tom Goodfellow

150
 Tim Warren

Thanks also go to the many WinGate beta testers and supporters for giving their time and energy towards
making WinGate the product that we are most proud of.

How To Use WinGate Help

Using the F1 Key to Load Context-Specific Help

This help has been designed to teach you about WinGate in an interactive way. While using GateKeeper
or the WinGate Internet Client, you can press the F1 key (the standard Help shortcut key) at any time to
load context-specific help.

This means that the help loaded will apply to the screen that you are currently in. For example, pressing
F1 while editing the DHCP Service properties will load help on configuring DHCP.

Using Hot Spots to Move Through Help

Most of the screen shots of GateKeeper that appear in help are loaded with hotspots. Hotspots allow you
to click on areas of the interface in help as if you were using the real interface (e.g. menus, buttons, tabs
and anything else you want to find out about). Some hotspots will jump you to the appropriate place in
help, while others will simply pop-up a description of the item. The advantage is that you can explore the
features of WinGate in a natural way, while reading about each feature as you go.

You can practice using hotspots on the dialog below, or return to the previous screen by clicking on the
BACK button. Notice how the mouse pointer will change when it runs over a hot spot – this will help
you find the hot spots in other screens.

151
How To Use WinGate Help

Using the F1 Key to Load Context-Specific Help

This help has been designed to teach you about WinGate in an interactive way. While using GateKeeper
or the WinGate Internet Client you can press the F1 key (the standard Help shortcut key) at any time to
load context-specific help.

This means that the help loaded will apply to the screen that you are currently in. For example, pressing
F1 while editing the DHCP Service properties will load help on configuring DHCP.

Using Hot Spots to Move Through Help

Most of the screen shots of GateKeeper that appear in help are loaded with hotspots. Hotspots allow you
to click on areas of the interface in help as if you were using the real interface (e.g. menus, buttons, tabs
and anything else you want to find out about). Some hotspots will jump you to the appropriate place in
help, while others will simply pop-up a description of the item. The advantage is that you can explore the
features of WinGate in a natural way, while reading about each feature as you go.

You can practice using hotspots on the dialog below, or return to the previous screen by clicking on the
BACK button. Notice how the mouse pointer will change when it runs over a hot spot – this will help
you find the hot spots in other screens.

Year 2000 Compliant

152
WinGate 2.1 and subsequent versions are Year 2000 (Y2K) Compliant.

This means that WinGate will not produce errors in processing data in connection with the year change
from December 31, 1999 to January 1, 2000 when used with accurate date data in accordance with the
software documentation, provided all other software and/or hardware products used with it also exchange
date data properly with WinGate 2.1.

All WinGate users are strongly recommended to update their Windows operating systems with patches
and updates supplied by Microsoft. For more information, please refer to the Microsoft web site at
www.microsoft.com/y2k.
Feature Unavailable with this License

This feature is unavailable because you have not yet upgraded to the latest version of WinGate (this
feature is part of the latest version). Though we’d love to keep giving you more for free, we have to make
money somewhere.

Go to http://wingate.com/pricing (cut and paste this link in to your web browser) to review your new or
upgrade license options.

DHCP

>> Click on the image hotspots for interactive popup help!

153
What Is DHCP?

DHCP stands for ‘Dynamic Host Configuration Protocol’. DHCP is a standard way of automatically
configuring client computers to access the Internet (e.g. allocating IP numbers and DNS servers). You
have probably had some experience with dynamic IP allocation already. When a modem makes a PPP
connection to an ISP, an IP number is often dynamically allocated to the modem.

What Does It Do?

DHCP is a means for networked computers to get their TCP/IP networking settings from a central server.
Importantly, DHCP assigns IP addresses and other TCP/IP configuration parameters automatically.
WinGate DHCP is different from other DHCP servers, in that it can even figure out what IP addresses to
allocate without the administrator having to predefine pools of addresses (scopes). It can also figure out
how to set the clients' gateway and several other parameters too, which means that not even the
administrator needs to be a TCP/IP expert to operate the WinGate DHCP server. Full manual override of
all automatic settings is also available in order to allow administrators to cater for their specific
requirements.

Why is this better?

DHCP eases both TCP/IP and WinGate configuration. Before DHCP, all the computers on a network had
to have unique private static IP addresses assigned to them and DNS also required configuration. Existing
WinGate users may remember that client computer TCP/IP configuration had 6 stages, for each computer.

154
Many options on the TCP/IP setup can be problematic, and one wrong setting can prevent a client from
getting the desired access.

With DHCP you simply install TCP/IP and nothing else is required, no IP number, no messing with DNS
settings! The DHCP client is installed as part of TCP/IP. If you already have TCP/IP installed, you
simply select "Obtain an IP address using DHCP" (Windows NT / 2000), or "Obtain an IP address
automatically" (Windows 95 / 98) in Settings/Control panel/Network/Network protocols – TCP/IP / IP
Address.

If you want the easiest network setup, use DHCP. DHCP is recommended as insurance against IP conflict
and configuration errors.

How Does It Work?

When Windows starts on a client computer, the DHCP client that is built into Windows TCP/IP sends a
broadcast packet on the network requesting an IP address. Any DHCP server that hears this request sends
a response, an ‘offer’ of an IP address. This IP address is chosen from a range of acceptable IP addresses
configured in the DHCP server. Each range of IP addresses is referred to as a scope. The client can then
‘accept’ the IP address. Any further configuration information is also forwarded to the client at that stage,
including DNS server details. When a client has had an IP lease for half the lease time, it will request a
new lease. It may receive the same or a different IP number. WinGate records information about each
active lease, and also integrates these with the WinGate rules, so you now have more information about
the computers using WinGate.

How About My Static IP Addresses?

You do not need to worry about computers on your network that cannot use DHCP. They can still use
their existing IP address. WinGate checks to see if it can ping an IP address before it will allocate it. If it
can ping an address, it knows the address is in use, and so it will not allocate it to any other computer.

You can also set excluded IP addresses in each scope that you create, or that WinGate creates for you (in
Settings/Control panel/Network/Network protocols – TCP/IP / IP Address.)

What are Reservations?

Reservations are used if you want to guarantee that a specific computer will always be allocated a certain
IP address, and that this address will not be allocated to any other computer. This is sometimes used
where you have purpose-built applications that connect to specific hosts, which may themselves use
DHCP to configure their networking. However, with WinGate's integration of DHCP with WinGate
DNS, this will become largely redundant, as you are able to look up the IP addresses of computers by
their computer name (Netbios name as opposed to their host name).

155
Reservations are also used if you wish to specify specific TCP/IP settings on a computer-by- computer
basis.

Changing to DHCP

If you have an existing network of statically assigned IP numbers, it is a simple job to change to a full
DHCP network. The WinGate DHCP server is installed with default recommended settings.

The WinGate server itself must have static IP addresses for its LAN cards. All other computers on your
network can use DHCP.

This is a fundamental requirement for all DHCP servers, not specific to WinGate. The IP addresses you
allocate to your WinGate server LAN cards determine which addresses are allocated to computers on
those networks. So, if you allocate 192.168.0.1 to one LAN card, all computers directly connected to that
card (i.e. on the same subnet) will be allocated addresses between 192.168.0.2 and 192.168.0.254.

If you have a multiple segment LAN, with routers between segments, these routers must run BOOTP
relay agents (or DHCP relay agents - DHCP uses the BOOTP packet format so that DHCP packets can be
forwarded by BOOTP relay agents). WinGate uses the IP address of the interface on a BOOTP
forwarding agent that a request was made on to allocate addresses. Therefore, WinGate will always
allocate IP addresses on the correct subnet. Network masks are taken from the RFC defining IP address
ranges.

Once the client computers are restarted, DHCP will take care of the IP’s for you. Computers nearly
always obtain the same IP they had previously.

How to Move From Manual to DHCP

For each client computer:

1. In Start/Settings/Control panel/Networks/ Protocols /TCP-IP (for the LAN card), on the IP

Address tab, change the selection from ‘Specify an IP address’ to ‘Obtain IP address
automatically’

2. Then click OK

3. Restart the computer. In the event of a conflict, simply restart the computer in question.

156
If you are currently using another DHCP server on your LAN, and wish to change over to the WinGate
DHCP server, simply start the DHCP service in WinGate, and stop your other DHCP server. The client
computers will attempt to renew their leases, and when they cannot communicate with their previous
DHCP server, they will broadcast a request to all DHCP servers, at which stage WinGate will take over
management of the lease.

DHCP Information

Configuring DHCP is easy. WinGate automatically installs a DHCP service. The default is Fully
automatic DHCP mode, where IP ranges, DNS and all settings are provided. If you prefer to have more
control over the settings, Manual mode allows total control.

These are some terms relating to DHCP:

Subnet A subnet is a group of computers that are directly connected via coax or a
hub. A computer with two network adapters will be on 2 subnets.

Interface An interface is any connection to a network. This may be a Network card,

modem, ISDN card or other TCP/IP capable device that is installed in a
computer.

Lease The length of time for which a dynamically assigned IP can be used. Before
the lease expires, the client must renew the lease with the DHCP server.

Reservation A Reservation is used to specify that a specific computer will always be

allocated a specific IP address.

Scope A Scope is a range of IP addresses, and associated TCP/IP configuration

options. A DHCP scope comprises a pool of available IP addresses in a
contiguous subnet. Each scope is used to define parameters for each subnet
or interface. Each scope has the following properties:
• • Each scope is associated with an interface. This interface is the
interface in WinGate that the DHCP client requests will come in on.
• • A scope name / description.

157
 • • A subnet mask used to determine the subnet related to a given IP
address.
• • Lease time to be assigned to DHCP clients with dynamic addresses.

Exclusions Excluded IP ranges allow the administrator to say "Don’t allocate these IP
addresses to any computer". An exclusion range must lie within the scope.
In Auto mode, the IP of the WinGate server is automatically added as
exclusion.

Option A DHCP option specifies a parameter that will be configured in a DHCP

client, for example the DNS server, or the default gateway. There are options
in DHCP on three levels. There are Global options, Scope options, and
Reservation options. Reservation options override Scope options, which
override global options.

Even in Fully automatic mode you are still able to manually configure any scopes and extra options. This
mode simply refers to what WinGate will do automatically to help you, so if you have specific
requirements, it can be useful to start out using fully automatic mode, and then do your own modifications
later on.

Starting DHCP

DHCP will be installed and started by default upon installation or upgrade of WinGate. Starting the
WinGate engine will also start the DHCP service. If the DHCP service is stopped for any reason, it can
be restarted in this manner.

How to "Start" the WinGate DHCP Service:

From Gatekeeper:

1. Go to the System Services tab

2. Right-click on the DHCP Service

3. Select Start.

158
Stopping DHCP

If you wish to stop the service for any reason, use the method below. Clients that have obtained their IP
addresses from the DHCP service will not lose their settings.

How to "Stop" the WinGate DHCP Service:

From Gatekeeper:

1. 1. Go to the System Services tab

2. 2. Right-click on the DHCP Service

3. 3. Select Stop.

Note that the service will start up again when the engine is restarted – you must totally disable the
WinGate DHCP for it to remain stopped.

Disabling WinGate DHCP

You can use the WinGate DHCP Server, another DHCP server, or none at all – it is completely up to you
(though we recommend using WinGate DHCP). The WinGate DHCP Server will be installed and started
by default.

How to "Disable" the WinGate DHCP Service:

From GateKeeper:

1. Open WinGate DHCP Service

2. On the General tab’s startup options, select ‘disabled’

3. Click OK to close the DHCP service dialog

159
 4. Right click on the DHCP service in GateKeeper and select Stop from the context menu. This
will permanently stop and unbind the service from the interface.

See also:

DHCP Service Properties

DHCP General tab

>> Click on the image hotspots for interactive popup help!

This is the first tab you see on the DHCP service.

Important Note:

Do not change the port number. 67 is the only port used by DHCP, if you change it, it will not operate.

160
The check box ‘Allow allocation of non-private addresses’ should remain unchecked. Only use this
option if it is essential to use IP numbers that are not in the private range. See Private IP’s for further
explanation.

DHCP Bindings tab

>> Click on the image hotspots for interactive popup help!

The DHCP bindings tab works rather differently to other services. The picture above shows the bindings
tab on a computer that has several LAN cards. The DHCP will not allow you to bind to any modem or
non-static interface for security reasons. In addition to this, localhost cannot be bound to. In the example
above, the DHCP server will only allocate IP numbers to computers whose request was received on
192.168.0.4.

DHCP Configuration

161
 Back to Services

>> Click on the image hotspots for interactive popup help!

DHCP is configured via Gatekeeper. The service is installed by default. DHCP is considerably more
complex in structure than the other services. For this reason we have provided a fully automatic mode of
operation. We do not recommend changing from Fully Automatic mode unless you understand DHCP
and the effects of your changes.

DHCP Modes of Operation

Fully-Automatic This does everything for you. All settings are standard and will work in nearly
all circumstances. DNS is set to the WinGate server itself. There are no
Reservations. Scopes are created as required based on the IP of the WinGate
server or DHCP relay agent. Fully Automatic mode copes with DHCP Relay
agents and multiple subnets. The default gateway is configured as the
WinGate server (if WinGate is running on a multi-homed host) or the IP
address of a relay agent.

162
 Semi-Automatic This allows configuration of what WinGate will and will not automatically do
(think of it as "custom")

Manual Only use this mode if you understand DHCP and its options. Manual mode is
useful for complex networks where there are several different computers with
a range of requirements.

Note About DHCP Bindings:

There must be a Binding for all interfaces that you wish to use DHCP on. Listed in the bindings tab
should be all your LAN cards.

DHCP Settings

>> Click on the image hotspots for interactive popup help!

163
The DHCP Settings tab shows the current DHCP configuration for your LAN.

The icons represent:

 Interfaces found on that computer

 Respective scopes associated with this interface

 Reservations assigned to that scope

 The Global Options.

Double clicking the Scope or Reservation icons gives you their respective properties.

Global options are applied to all scopes on all interfaces. Scope options over-ride Global options and are
applied to the scope and all reservations under that scope. Reservation options will override Scope
options and are applied only to that particular reservation.

See Also:

Adding a Scope

Changing Scope properties

Removing a scope

Managing client reservations

Adding a Scope

To add a new scope:

1. Select the DHCP settings tab
2. Right-click the interface on which you wish to add a scope
3. Choose New Scope
4. Follow Changing Scope properties

Changing Scope Properties

164
 >> Click on the image hotspots for interactive popup help!

You can change the properties of an existing scope. You can extend the address range of the scope, but
you should not reduce it. You can, however, exclude any unwanted addresses from the range.

To Define the Properties of a DHCP Scope:

1. Select the DHCP settings tab

2. Double click the scope you want to change

3. The dialog box above will be displayed

4. Configure the properties as required (see below).

General Properties:

The Description is a unique name for this scope. This will be displayed in the DHCP options window.
The Scope enabled option enables/disables allocation from this scope.

Allocate IP addresses in the range Properties:

165
This is the range of IP addresses to allocate to clients. 192.168.0.* is the default, as is the Network Mask
of 255.255.255.0. If you wish to use different options for the range or mask, see the advanced sections.

Lease Duration Properties:

The default lease time is 3 days. This is a suitable time for most LANs. If you have a LAN with more
computers than the size of your scope, you may wish to have the lease period short. This will enable the
available IP’s to be shared around.

Excluded Addresses Properties:

These are IP’s within the scope range that you do not wish to allocate to client computers.

In the example above, the IP address 192.168.0.100 and all the IP addresses from 220
240 will not be
allocated.

To add an exclusion:

1. In the Dialog Box above, type the IP number you wish to exclude into the From field

2. To exclude a range, type in an end address into the To field

3. Click Add.

Removing a Scope

When a subnet is no longer in use, or if you want to remove an existing scope, you can remove it from the
DHCP service. It is recommended that you deactivate a scope until you know that no leases are current
before deleting it.

To Remove a Scope:

The scope should be deactivated until you are sure the scope is not in use.

1. On the Scopes list in the DHCP window, select the scope you want to remove

2. On the Scope menu, click Delete.

166
Managing Client Reservations

You can reserve a specific IP address for a client. Typically, you will need to do this if the client uses a IP
address that needs to remain constant. Fully automatic mode will not allow reservations.

 If multiple DHCP servers are distributing addresses in the same scope, the client reservations on
each DHCP server should be identical. Otherwise, the DHCP reserved client will receive different
IP addresses, depending on the responding server.

 You can change any information about a reserved client at any time.

 Reserving an address does not automatically force a client who is currently using the address to
move elsewhere. If you are reserving a new address for a client, or an address that is different
from the client’s current one, you should verify that the DHCP server has not already leased the
address. If the address is already in use, the client that is using it must release the address by
issuing a release request.

Adding a Client Reservation

>> Click on the image hotspots for interactive popup help!

In WinGate DHCP, you can set reservations based on the name of the computer, rather than the MAC
address (hardware address) of the LAN card. This means you can retain your reservations even when you
change hardware.

167
To Add a Reservation for a Client Computer:

1. Select the DHCP Settings tab

2. Right click the Scope where you wish to add the reservation

3. Select New Reservation

4. Type in information to identify the first reserved client:

a. IP Address specifies an address from the Scopes range. You can specify any unused IP
address in the scope

b. Reserved for computer name / MAC address allows selection of the identifier for the
client computer

c. Identifier specifies the Name or MAC address for the client computer, depending on
the option chosen above. We recommend using the Name as this is easier and it is
associated with the computer rather than simply the card

5. Click Add to add the reservation to the DHCP database. You can continue to add reservations
without closing this dialog box.

Determining a Client Computers MAC Address:

 In NT / 2000: Type "ipconfig /all" at the command prompt on the client computer

 In 95 / 98 / ME: Type "winipcfg" then click the more >> button. Details are under Adapter
address.

To Change the Reserved IP Address

Reservation information can be changed any time. Changes will not be reflected in the client till the lease
is renewed.

Assigning DHCP Configuration Options

>> Click on the image hotspots for interactive popup help!

168
Besides the IP addressing information, other DHCP options to be passed to DHCP clients must be
configured for each scope, or globally under the Global Options.

Options can be defined globally for all scopes, specifically for a selected scope, or for individual DHCP
clients:

 Active global option types always apply, unless overridden by scope or DHCP client settings

 Active option types for a scope apply to all computers in that scope, unless overridden for an
individual DHCP client.

Only configure options if you know what effect if will have on DHCP. Some Options are inter-
related (see the DHCP Configurable Option List).

To Assign DHCP Configuration Options:

1. In the DHCP Service/Settings tab/Settings, double click the scope you want to configure, or click
global to configure all, or click a specific reservation

2. Click Options

3. For options that you wish to configure, use the Add button to add options from the Available to
the in use lists

4. Double click an ‘in use’ option name to edit it

5. Enter the relevant information

6. Click OK.

169
Example:

To specify the DNS name servers to be used by DHCP clients, double click DNS Server and then type an
IP address for a DNS server in the edit box and click add. The list should be in the order of preference, so
that the first server in the list is the first server to be consulted.

To Remove a Configured Option:

1. Select the option and click remove

2. Click OK.

Note on WINS Server:

If you specify a WINS Server, you must also configure a NBT Node type.

Releasing and Renewing a DHCP Lease

To Release and Renew an IP number, on the Client Computer:

Reserving an address or changing a reservation does not force the client for whom the reservation is
made to move to the reserved address. In this case, too, the client must issue a renewal request.

For 95, 98 or ME:

1. Click Start/ Run

2. Enter ‘winipcfg’ and click OK

3. Make sure your network card (NIC) is selected (rather than the PPP adapter)

4. Click renew

5. Click release.

For 2000 / NT Workstation or Server:

1. Open the Command Prompt

2. Type ‘ipconfig /release’ to release the old settings

170
 3. Type ‘ipconfig /renew’ to get the DHCP server to configure your client computer with the new
settings.

You may be prompted to restart your computer.

DHCP Configurable Options

Listed are the DHCP options configurable in the WinGate DHCP server. Most DHCP clients will ignore
many of these options. Please only change options that you understand. This section is provided for
reference as you will rarely need to change any of these options – DHCP is designed to be a "set and
forget" service for WinGate users.

Time offset

Specifies the Universal Coordinated Time (UCT) offset in seconds.

Router

Specifies a list of IP addresses for routers on the client’s subnet.

Time server

Specifies a list of IP addresses for time servers available to the client.

Name servers

Specifies a list of IP addresses for name servers available to the client.

DNS servers

Specifies a list of IP addresses for DNS name servers available to the client.

Log servers

171
Specifies a list of IP addresses for MIT_LCS User Datagram Protocol (UDP) log servers available to the
client.

Cookie servers

Specifies a list of IP addresses for RFC 865 cookie servers available to the client.

RCS Log servers

Specifies a list of IP addresses for RFC 1179 line-printer servers available to the client.

Impress servers

Specifies a list of IP addresses for Imagen Impress servers available to the client.

RLP servers

Specifies a list of RFC 887 Resource Location servers available to the client.

Host name

Specifies the host name of up to 63 characters for the client. The name must start with a letter, end with a
letter or digit, and have as interior characters only letters, numbers, and hyphens. The name can be
qualified with the local DNS domain name.

Boot file size

Specifies the size of the default boot image file for the client, in 512-octet blocks.

Merit dump file

Specifies the ASCII path name of a file where the client’s core image is dumped if a crash occurs.

Domain name

Specifies the DNS domain name the client should use for DNS host name resolution.

172
Swap server

Specifies the IP address of the client’s swap server.

Root path

Specifies the ASCII path name for the client’s root disk.

Extensions path

Specifies a file retrievable via TFTP containing information interpreted the same as the vendor-extension
field in the BOOTP response, except the file length is unconstrained and references to Tag 18 in the file
are ignored.

IP layer forwarding

Enables or disables forwarding of IP packets for this client.

Non-local source routing

Enables or disables forwarding of datagrams with non-local source routes.

Policy filter masks

Specifies policy filters that consist of a list of pairs of IP addresses and masks specifying destination/mask
pairs for filtering non-local source routes. Any source routed Datagram whose next-hop address does not
match a filter will be discarded by the client.

Max Datagram reassembly size

Specifies the maximum size Datagram that the client can reassemble. The minimum value is 576.

Default time-to-live

Specifies the default time-to-live (TTL) that the client uses on outgoing datagrams. The value for the
octet is a number between 1 and 255.

All subnets are local

173
Specifies whether the client assumes that all subnets of the client’s internet work use the same MTU as
the local subnet where the client is connected. 1 indicates that all subnets share the same MTU; 0
indicates that the client should assume some subnets may have smaller MTUs.

Broadcast address

Specifies the broadcast address used on the client’s subnet.

Mask discovery

Specifies whether the client should use Internet Control Message Protocol (ICMP) for subnet mask
discovery.

Is Mask supplier

Specifies whether the client should respond to subnet mask requests using ICMP.

Router discovery

Specifies whether the client should solicit routers using the router discovery method in RFC 1256.

Router solicitation address

Specifies the IP address to which the client submits router solicitation requests.

Trailer encapsulation

Specifies whether the client should negotiate use of trailers (RFC 983) when using the ARP protocol.

ARP cache timeout

Specifies the timeout in seconds for ARP cache entries.

Ethernet encapsulation

Specifies whether the client should use Ethernet v. 2 (RFC 894) or IEEE 802.3 (RFC 1042) encapsulation
if the interface is Ethernet.

174
Default time-to-live

Specifies the default TTL the client should use when sending TCP segments. The minimum value of the
octet is 1.

Keepalive interval

Specifies the interval in seconds the client TCP should wait before sending a keepalive message on a TCP
connection.

Keepalive garbage

Specifies whether the client should send TCP keepalive messages with an octet of garbage data for
compatibility with older implementations.

NIS domain name

Specifies the name of Network Information Service (NIS) domain as an ASCII string.

NIS servers

Specifies a list of IP addresses for NIS servers available to the client.

NTP servers

Specifies a list of IP addresses for Network Time Protocol (NTP) servers available to the client.

WINS/NBNS servers

Specifies a list of IP addresses for NetBIOS name servers (NBNS).

NetBIOS over TCP/IP NBDD

Specifies a list of IP addresses for NetBIOS datagram distribution servers (NBDD).

WINS/Netbt node type

Allows configurable NetBIOS over TCP/IP clients to be configured as described in RFC 1001/1002.
Options are b-node, p-node, m-node, and h-node.

175
NetBIOS scope ID

Specifies a string that is the NetBIOS over TCP/IP Scope ID for the client, as specified in RFC
1001/1002.

X Window font server

Specifies a list of IP addresses for X Window font servers available to the client.

X Window system display

Specifies a list of IP addresses for X Window System Display Manager servers available to the client.

Appendix

Topics Covered:

How To Use WinGate Help

Advanced WinGate Configuration

Appendix

DNS Options

Encryption

Glossary

hosts files

Logic and Caching

Multi segment LANs

Port Assignments

Ports

TCP UDP and IP

Routing

176
Secure Interoffice Communications

TCP/IP and Network topics

Uninstalling WinGate

Using Proxy Auto Configuration

Why do I need DNS?

Port Assignments

The following lists the port numbers for well-known services as defined by RFC 1060 (Assigned
Numbers).

Format:

<service name> <port number>/<protocol> [aliases...] [#<comment>]

echo 7/tcp

echo 7/udp

discard 9/tcp sink null

discard 9/udp sink null

systat 11/tcp

systat 11/tcp users

daytime 13/tcp

daytime 13/udp

netstat 15/tcp

qotd 17/tcp quote

qotd 17/udp quote

177
chargen 19/tcp ttytst source

chargen 19/udp ttytst source

ftp-data 20/tcp

ftp 21/tcp

telnet 23/tcp

smtp 25/tcp mail

time 37/tcp timserver

time 37/udp timserver

rlp 39/udp resource # resource location

name 42/tcp nameserver

name 42/udp nameserver

whois 43/tcp nicname # usually to sri-nic

domain 53/tcp nameserver # name-domain server

domain 53/udp nameserver

nameserver 53/tcp domain # name-domain server

nameserver 53/udp domain

mtp 57/tcp # deprecated

bootp 67/udp # boot program server

tftp 69/udp

rje 77/tcp netrjs

finger 79/tcp

link 87/tcp ttylink

supdup 95/tcp

hostnames 101/tcp hostname # usually from sri-nic

iso-tsap 102/tcp

dictionary 103/tcp webster

x400 103/tcp # ISO Mail

178
x400-snd 104/tcp

csnet-ns 105/tcp

pop 109/tcp postoffice

pop2 109/tcp # Post Office

pop3 110/tcp postoffice

portmap 111/tcp

portmap 111/udp

sunrpc 111/tcp

sunrpc 111/udp

auth 113/tcp authentication

sftp 115/tcp

path 117/tcp

uucp-path 117/tcp

nntp 119/tcp usenet # Network News Transfer

ntp 123/udp ntpd ntp # network time protocol

(exp)

nbname 137/udp

nbdatagram 138/udp

nbsession 139/tcp

NeWS 144/tcp news

sgmp 153/udp sgmp

tcprepo 158/tcp repository # PCMAIL

snmp 161/udp snmp

snmp-trap 162/udp snmp

print-srv 170/tcp # network PostScript

vmnet 175/tcp

load 315/udp

vmnet0 400/tcp

179
sytek 500/udp

biff 512/udp comsat

exec 512/tcp

login 513/tcp

who 513/udp whod

shell 514/tcp cmd # no passwords used

syslog 514/udp

printer 515/tcp spooler # line printer spooler

talk 517/udp

ntalk 518/udp

efs 520/tcp # for LucasFilm

route 520/udp router routed

timed 525/udp timeserver

tempo 526/tcp newdate

courier 530/tcp rpc

conference 531/tcp chat

rvd-control 531/udp MIT disk

netnews 532/tcp readnews

netwall 533/udp # -for emergency broadcasts

uucp 540/tcp uucpd # uucp daemon

klogin 543/tcp # Kerberos authenticated

rlogin

kshell 544/tcp cmd # and remote shell

new-rwho 550/udp new-who # experimental

remotefs 556/tcp rfs_server rfs# Brunhoff remote

filesystem

rmonitor 560/udp rmonitord # experimental

monitor 561/udp # experimental

180
garcon 600/tcp

maitrd 601/tcp

busboy 602/tcp

acctmaster 700/udp

acctslave 701/udp

acct 702/udp

acctlogin 703/udp

acctprinter 704/udp

elcsd 704/udp # errlog

acctinfo 705/udp

acctslave2 706/udp

acctdisk 707/udp

kerberos 750/tcp kdc # Kerberos authentication--

tcp

kerberos 750/udp kdc # Kerberos authentication--

udp

kerberos_master 751/tcp # Kerberos authentication

kerberos_master 751/udp # Kerberos authentication

passwd_server 752/udp # Kerberos passwd server

userreg_server 753/udp # Kerberos userreg server

krb_prop 754/tcp # Kerberos slave

propagation

erlogin 888/tcp # Login and environment

passing

kpop 1109/tcp # Pop with Kerberos

phone 1167/udp

ingreslock 1524/tcp

maze 1666/udp

nfs 2049/udp # sun nfs

181
knetd 2053/tcp # Kerberos de-multiplexor

eklogin 2105/tcp # Kerberos encrypted rlogin

rmt 5555/tcp rmtd

mtb 5556/tcp mtbd # mtb backup

man 9535/tcp # remote man server

w 9536/tcp

mantst 9537/tcp # remote man server,

testing

bnews 10000/tcp

rscs0 10000/udp

queue 10001/tcp

rscs1 10001/udp

poker 10002/tcp

rscs2 10002/udp

gateway 10003/tcp

rscs3 10003/udp

remp 10004/tcp

rscs4 10004/udp

rscs5 10005/udp

rscs6 10006/udp

rscs7 10007/udp

rscs8 10008/udp

rscs9 10009/udp

rscsa 10010/udp

rscsb 10011/udp

qmaster 10012/tcp

qmaster 10012/udp

182
TCP/IP and Network Topics

This section contains topics that are related to WinGate operation, but not essential to understand.

The material contained in this section will give you superior knowledge of WinGate and the Internet.

Click any of the links below for more information on specific network topics:

TCP UDP and IP

Ports

DNS Options

Why do I need DNS?

Multi-Segmented LANs

Routing

The glossary is available from the tool bar in the help system.

Using Proxy Auto Configuration

Introduction

Proxy Auto Configuration (PAC) is a system for configuring browser proxies for Networked
computers. It allows you to have one proxy setup file on the network, thereby saving individual
configuration of client computers. This is especially suitable for WinGate networks, as once the clients
computers are setup, only one computer needs configuration. The Proxy Auto Config file is a special
format file that can reside anywhere on the shared network. When setup correctly, it allows dynamic
assignment of proxy servers and ports.

183
Setting up the PAC file

The PAC file is in JAVA. Do not worry about this as you don’t need to know Java to be able to configure
these files.

This file should be called wgproxy.pac or have a similar name, and the standard file format is just a
text file that looks like this:

function FindProxyForURL(url, host)

if (url.substring(0, 5) == "http:") {

return "PROXY wingate:80";

else if (url.substring(0, 4) == "ftp:") {

return "PROXY wingate:80";

else if (url.substring(0, 6) == "https:") {

return "PROXY wingate:80";

else {

return "PROXY wingate:1080";

The content is fairly self-explanatory; the meaning of the code is explained below:

if (url.substring(0, 5) == "http:") {return "PROXY wingate:80";

If the first 5 letters of the URL are "http:" then tell the browser to use "wingate" on port 80.

184
 else if (url.substring(0, 4) == "ftp:") {

return "PROXY wingate:80";

Otherwise, if the first 4 letters of the URL are "ftp:" then tell the browser to use "wingate" on port 80, etc.

It is easy to change the code to tell the browser when not to use a proxy with a line such as:

if (url.substring(0, 15) == "http://localbox")

{return "DIRECT";}

For more details on the format and available commands, see

http://home.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html

If you are using the suggested ports and name for your WinGate services then you will not need to change
anything in the above file.

Network and Client setup

Setting up the Auto config file is as simple as placing the PAC file in the root directory of any shared
computer on the network. To refer to this file computers have to have their browsers set to use the
Automatic Proxy Configuration file. This is accessed in most browsers via the preferences/network
menu. The browser wants a URL, so if you want to serve the file from network disk then you should use
the following method.

If the computers network name is say "server" then you would type ‘ \\server\c\proxy.pac ‘
(without the quotes) into the URL edit box. The double \\’s mean network, the c is the drive, and
proxy.pac is the file.

Ports

185
A port can be thought of as a channel of communications to a computer. Similar to telephones, it is like a
company PABX that has several lines. Packets of information coming into a computer are addressed not
only to that computer, but also to that computer on a specified port. You can think of a port as a radio
channel if you like, but the fundamental difference between a radio receiver and a computer is that the
computer can listen to any or all of 65000 possible channels at once!

Note, however, that typically the computer is not listening on very many ports at all. The computer will
not respond to data or connection requests that are sent to a port on which it is not listening.

Also note that there are a number of important predefined ports, which are universally used for various
services. Some of the major ones are:

Service Port Description

FTP 21 File Transfer Protocol - for transferring files

Telnet 23 for logging into an account on a Remote Host

SMTP 25 For Sending mail

Gopher 70 Text menu based browser

HTTP 80 WWW protocol - Netscape, Mosaic

POP 3 110 Downloading Mail

NNTP 119 Internet Newsgroups

IRC 6667 Internet Relay Chat

CompuServe 4144 CompuServe WinCIM communications

AOL 5190 America Online

MSN 569 Microsoft Network

More ‘used’ ports are listed in the Assigned Ports section.

IMPORTANT NOTE:

186
 Two applications on one computer generally cannot both listen on the same port at the same time. This is
relevant, because if you try to set WinGate to listen on a port that some other application is already
listening on (i.e. you are already running an FTP server), it will not be able to start listening.

WinGate note:

If you find you get the error icon when you start WinGate with the message ‘Cannot start socket
listening’, then you can be pretty sure this is the reason. You then need to check in WinGate to see which
local port has come up as disabled, and change that service to listen on a different port. Port numbers
above 1024 are normally safe to use. Remember to update the client applications that were relying on that
service being on that port to the new port number.

DNS Options

DNS is essential for ‘name lookup’ ability for the computers on your network. While it is recommended
that you use the DNS in WinGate, there are other options. Various methods are detailed below, with their
pros and cons.

WinGate DNS server

This default method is the simplest, yet in many ways the most powerful. The WinGate DNS server
automatically recognizes the name ‘wingate’ and will return the IP of the WinGate server. This
eliminates the need for hosts files.

This method is not suitable if you want to have external name resolution for your site, i.e. if you have a
domain name, you will need to run a third party DNS Server.

Mapped Link method

This method is detailed in Adding a Mapped Link. The UDP Mapped link on port 53 allows all DNS
requests to be mapped to an external DNS server. This is usually that of your ISP. This gives you access
to a full DNS implementation, without having to run a third party server.

This method is not suitable if you want to have external name resolution for your site, i.e. if you have a
domain name, you will need to run a third party DNS Server. This does not provide name lookup for the
name ‘wingate’. Clients can use hosts files if they wish to refer to the name ‘wingate’.

Third Party DNS Server

Running a stand-alone DNS server such as Bind is necessary if you have a domain name for your server.
In this case, clients will receive their DNS service from the third party server. This does not provide

187
name lookup for the name ‘wingate’. Clients can use hosts files if they wish to refer to the name
‘wingate’.

Note: Getting DNS working on your client computers can be tricky. We strongly recommend using the
WinGate DNS and DHCP servers to simplify this process.

Why do I need DNS?

Note:

WinGate will now configure DNS for the client computers via DHCP. This section is retained for
historical reasons.

For anything to work at all, the WinGate server must have a working DNS setup. For the rest of your
LAN, that will be accessing the Internet through WinGate, you have the option of setting it up or not.

The following are the main reasons why you may want to set up DNS on your LAN:

• You want to use SOCKS to access FTP, Gopher, or HTTPS URLs in a browser

• You want to run some other SOCKS capable software

• You have a large LAN and you want name resolution for the computers on your LAN.

None of the proxies in WinGate other than SOCKS require DNS to be working on the computers on your
LAN.

One of the quirks of the SOCKS protocol is that a request for a connection is made in the form of a
request for connection to an IP address. This means that a SOCKS client needs to be able to look up
addresses in order to supply this IP address to the SOCKS server.

For this reason, the DNS server was added to WinGate. If you already have DNS on your internal
network, and it has sufficient scope to resolve all the names you wish to connect to, then you will not

188
need to run the WinGate DNS server. You should not enable the DNS server in WinGate if you are
already running a DNS server on the same computer - this will mess up your DNS server.

You will need to enable the DNS on your LAN however.

If you are using the DNS server in WinGate, you should set the DNS Server settings for your LAN
adapters (on all computers except the WinGate server) to be the IP address of the WinGate server.

There are many very good resources on the Internet, which will help you to set this all up. In particular,
the following page will most likely be able to help you if you run into difficulties:

http://www.windows95.com/connect/

In addition, the Qbik New Zealand Web pages will always contain the latest information about Qbik
products such as WinGate.

http://www.qbik.com/

Do you remember that IP addresses have to be unique for computers on the same network? Well, you can
think of the entire Internet as a single network. However, your LAN is probably not on the same network,
even if one of the computers (i.e. the WinGate server) is on the Internet. You see, it is not so much a
computer being on the Internet as a computer interface, whether this is a LAN card or a serial port to
your modem. The Internet can see the interface that is connected, but no further.

This means that you can choose any number you like for the computers on your LAN. A word of
caution, however: it isn’t a good idea to choose just any number, because you have to think of the
situation in which WinGate server is running.

The WinGate server can see the entire Internet, and your LAN. Therefore, you don’t want to confuse it
by giving your LAN the same addresses that the WinGate server can see on the Internet.

Fortunately, some smart person already thought of this, and a great number of addresses have been kept
aside for just this purpose. These addresses are called "private addresses" and are not meant to be

189
available anywhere on the Internet. Therefore, by using them on your LAN, there won’t ever be any
confusion for the WinGate server.

Depending on the number of computers on your LAN, you probably will want to use a c-class (256
interfaces) address range. A good one to use is

192.168.0.*

The corresponding subnet mask is 255.255.255.0

Anything in the range 192.168.0.x through to 192.168.255.x is usable for these purposes.

You should set up your LAN using numbers in this range. You should need no other settings in the
TCP/IP setup of your LAN computers, except that on the WinGate server, you need an entry for DNS
server, which will be the IP address given to you by your service provider. If you have been using the
Internet before getting hold of WinGate, then this will have already been set up for you.

Note

To get started, you may like to put an entry for the WinGate server in the host files of each of your LAN
computers. Or if you are running a DNS server, you should put it in there, and make sure all your LAN
computers are pointing to it - except for the WinGate server, which should use the DNS server of your
Internet Service Provider.

An example may be (if you are using the 192.168.0.* private c-class addresses on your LAN, which
we recommend)

192.168.0.1 wingate

Remember that you must put an enter tab at the end of the last line in hosts file, else it may not be
recognized.

190
Multi segment LANs

If you are running a LAN with more than one segment (i.e. with your own internal router[s]) then you will
need to make a few modifications to your setup on the WinGate server, otherwise you will not be able to
use WinGate from the other segments of your LAN that aren’t directly connected to the WinGate server.

The reason for this is as follows.

When your computer dials up your service provider, the PPP login sequence allocates a new default
gateway for the computer that connects. This is done so that the computer connecting can access
computers on the Internet through a router at your ISP. The side effect of this however is that the default
gateway no longer points to a router on your internal LAN which was providing access to your other LAN
segments. This means you have effectively lost the route to these other subnets.

The way around this problem is to add static routes to the route table on the WinGate server. This is
done using the route command - available on all Windows operating systems.

The syntax of this command is explained in the command itself, but generally the command(s) you will
issue will look something like:

route add <subnet> MASK <subnet mask> <router address>

You will need one for each subnet on your LAN/WAN that needs access.

More info on Routing

Routing

This is the run-down on route tables for multi-homed hosts (more than one interface).

Interface

191
An interface is a logical interface associated with a piece of communications hardware that has a TCP/IP
stack. These bits of hardware include things like Modems, Ethernet cards, Ethernet interfaces on a router
etc. The logical interface always has an IP address associated with it.

These IP addresses must be unique within any connected network.

Route Tables

When you want to make a TCP/IP connection, or just send some packets to a computer, you have to
figure out which interface to use to send the packets. It is obviously no good sending packets out your
LAN adapter when you are trying to connect to an Internet site. Conversely, it is no good sending packets
out your modem when you are trying to access a computer on your LAN.

For this reason, there are routing tables. The routing table is a table that the TCP/IP stack looks at when
it wants to send a packet somewhere. It tells the stack which interface to pump the packets out of in order
to get to the desired destination.

Route table entries specify:

• A range of destinations (made up by network address / subnet mask - see later)

• Which router (gateway) to send packets to for these destinations

• Which interface to send packets out to get to these destinations.

in Windows operating systems, the syntax is:

route ADD networkaddr MASK subnetmask gateway

subnetmask is a way of saying which bits to ignore in the address when checking for a match. So if the
subnetmask is 255.255.255.0 then we ignore the last 8 bits of the address (last octet) when checking to see
if this route table entry applies to the destination or not.

Example:

This is my route table when I am online with my modem:

Active Routes:

192
 Network Address Netmask Gateway Address Interface Metric

0.0.0.0 0.0.0.0 203.96.10.254 03.96.10.51 1

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

192.168.0.0 255.255.0.0 192.168.0.4 192.168.0.4 2

192.168.0.4 255.255.255.255 127.0.0.1 127.0.0.1 1

192.168.0.255 255.255.255.255 192.168.0.4 192.168.0.4 1

203.96.10.0 255.255.255.0 203.96.10.51 203.96.10.51 1

203.96.10.51 255.255.255.255 127.0.0.1 127.0.0.1 1

203.96.10.255 255.255.255.255 203.96.10.51 203.96.10.51 1

224.0.0.0 224.0.0.0 203.96.10.51 203.96.10.5 1

224.0.0.0 224.0.0.0 192.168.0.4 192.168.0.4 1

255.255.255.255 255.255.255.255 192.168.0.4 192.168.0.4 1

I have 2 interfaces on my box - a LAN adapter with IP address 192.168.0.4 and a modem PPP interface
with address 203.96.10.51.

You will see that there is an entry in the table for both of these, plus some others.

Let’s have a look at the 4th entry, which is the definition of the entry for the LAN card. The meaning of
this entry is as follows. If we get a packet that we want to send to 192.168.0.4 MASK 255.255.255.255
(which means that it must match the whole address), then we will send the packet over interface
192.168.0.4 - the gateway is ignored. That is the easy one.

The next significant entry is the 3rd one. This says that if we have a packet for 192.168.0.0 MASK
255.255.0.0 (that means anything from 192.168.0.1 to 192.168.254.254 since 255 is reserved, as is 0) then
we send it out interface 192.168.0.4 - so this means all our LAN traffic goes out of the LAN card.

By comparison, the 7th entry is the same as the 4th entry, - but it applies here to the PPP interface
(modem) instead of the LAN card -, and the 6th entry is the same as the 3rd entry, - but it applies to the
range 203.96.10.1 to 203.96.10.254, which is a subnet on our service provider - This will probably give
us access to their router.

193
The other very significant entry is the 1st one. The effect of having a destination of 0.0.0.0 with MASK
0.0.0.0 means any IP address at all. This is called the default route. This one is the last route used if
there is no match on the others. This is the one that causes problems in multi-segment networks when
you dial up, because this route is changed by the PPP login process. This means that if we don't have a
static route (like the other entries) for a destination, we then send it out over the default route to
203.96.10.254 (our ISPs router), which is accessible through the interface 203.96.10.51 (our modem).

As a result, everything goes out over our modem, to the exception of anything that matches a static route -
so this includes our LAN (local subnet only).

The other entries are as follows.

127.0.0.0 is the localhost (loopback interface). This is a software only interface internal to the stack itself,
and is not accessible over any interface. This means that this interface can only be accessed from the
computer itself.

192.168.0.255 is the broadcast address for broadcast packets on our LAN. 203.96.10.255 is the broadcast
address for broadcast packets on the LAN segment on our ISP.

224.0.0.0 is another broadcast (or perhaps multicast) address on both our LAN and the ISPs

LAN. The effect of two matching entries means that any packets sent to this destination will be broadcast
on our LAN and the ISPs LAN.

255.255.255.255 is the global broadcast address.

Route table when off-line

Active Routes:

Network Netmask Gateway Interface Metric

Address Address

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

192.168.0.0 255.255.0.0 192.168.0.4 192.168.0.4 1

192.168.0.4 255.255.255.255 127.0.0.1 127.0.0.1 1

194
 192.168.0.255 255.255.255.255 192.168.0.4 192.168.0.4 1

224.0.0.0 224.0.0.0 192.168.0.4 192.168.0.4 1

255.255.255.255 255.255.255.255 192.168.0.4 192.168.0.4 1

These routes are all the same, except for the PPP interface addresses: since we are off-line, there is no
PPP interface.

Routes Automatically Created By The OS

There are a number of routes created automatically by the OS. Whenever an interface is added, you get a
route for the interface, one for the subnet the interface is on, and one for the broadcast address for that
interface. If you look at the route table above, the interface 192.168.0.4 results in the addition of route
entries 2, 3, 4, 5 and 6.

The OS also creates the localhost interface (1st entry).

Important Note:

If you specify a default gateway for your LAN adapter (i.e. you have a router on your LAN), then you
also get a default route entry. This is the entry that is used to access the other subnets on your LAN.

What does this mean?

It means that your PPP login changes your default route. Then, by default, all your packets go to your
ISPs router (so that you can access Internet sites). This makes the rest of your LAN segments
inaccessible since they will have been dependent on the default route, - unless of course you have
manually entered a static route to those subnets.

Therefore, if you have other subnets, you need to add a static route to your route table with the route
add command.

You can be smart about it.

195
If for instance you have numbered your segments like this:

Segment A (WinGate server): 192.168.0.0 mask 255.255.255.0

(this means 192.168.0.1 to 192.168.0.254)

Segment B : 192.168.1.0 mask 255.255.255.0

Segment C : 192.168.2.0 mask 255.255.255.0

Segment D : 192.168.3.0 mask 255.255.255.0

Segment E : 192.168.4.0 mask 255.255.255.0

Segment F : 192.168.5.0 mask 255.255.255.0

Segment G : 192.168.6.0 mask 255.255.255.0

and the router is on 192.168.0.254

Then you can do it the hard way, and add a route for each of B to F - e.g.

route ADD 192.168.1.0 MASK 255.255.255.0 192.168.0.254

route ADD 192.168.2.0 MASK 255.255.255.0 192.168.0.254

route ADD 192.168.3.0 MASK 255.255.255.0 192.168.0.254

route ADD 192.168.4.0 MASK 255.255.255.0 192.168.0.254

route ADD 192.168.5.0 MASK 255.255.255.0 192.168.0.254

route ADD 192.168.6.0 MASK 255.255.255.0 192.168.0.254

or, you could combine these to a single entry by setting the mask to ignore the second to last octet of the
address as well –

e.g.

route ADD 192.168.0.0 MASK 255.255.0.0 192.168.0.254

This would cover segments B to F.

196
 If some of the segments B to F are only accessible through another router somewhere else, you can either
add route statements to the router on 192.168.0.254 or put in different route table entries for these ones.

When matching, the stack looks for a match in this sequence:

1. Look for a match with an interface address (mask of 255.255.255.255 - exact address)
2. Look for a match with a subnet
3. Use the default route.

TCP UDP and IP

TCP/IP

TCP/IP is essential if you want to use the Internet. TCP/IP stands for ‘Transmission Control Protocol /
Internet Protocol’. TCP/IP (usually called TCP) is the standard method of sending data on the Internet. It
is based on data packets that have a set format, including to and from addresses, similar to a letter. If you
want to use the Internet or WinGate, it needs to be installed on every computer on your LAN. Actually
TCP and IP are different protocols, but they are so tied up that they are usually referred to in this way.

Packet

A data packet is a like a ‘mail parcel’. Think of a package that gets sent in the post. There are a few
things that you have to have, requirements. There has to be a name and address for the recipient, a return
address, there have to be stamps, and of course the envelope or wrapping paper. But, what you put in the
parcel is up to you. You can send (with in reason) anything that will be accepted by the post office. A
data packet is very similar to this. You have to supply certain ‘Wrappers’ such as ‘to’ and ‘from’ fields,
but what is sent as the payload is up to you. There are different types of packets used on the Internet and
other networks, but all of them use this idea of a parcel of data.

IP

IP stands for Internet Protocol. This is the method used on the Internet (and on many LANs) to
communicate. IP is a system of datagram packets. IP is not usually dealt with directly, this is the job of
TCP. IP gets datagrams from point A to point B. TCP sends IP a datagram, and a destination. It
assembles and sends a packet with information from the source (e.g. TCP) and a checksum that indicates
the integrity of the packet. IP doesn’t care about what is in the datagram. In fact it does not care if the

197
 packet it sends even gets there, and when IP receives a packet, if it has be garbled, IP throws it away! It is
up to the protocol using IP to arrange for the packet to be resent if required.

IP Number / IP Address

An IP address is the way IP distinguishes computers (or more specifically Interfaces) that exist on the
same network. On the Internet you simply cannot have two computers sharing an IP, as this creates havoc
when trying to send data to the correct location. All computers that are ‘on’ the Internet (or LAN) need
discrete IPs. There are different types of IP.

You have probably seen addresses in the form 128.211.23.45. This is a 32-bit number separated in to four
8-bit parts. The four parts are somewhat similar to a mailing address, with the difference that the detail is
ordered "the other way round". The first number of the IP is the most general and the last is the most
specific. Since each computer on the Internet needs a different IP, there has to be some way of dishing
out the IPs so that large companies and organizations have one for all their computers, while smaller
organizations have some to go around as well. Since there are a small number of large organizations and
a large number of small organizations, ranges of IPs can be allocated accordingly.

An IP address has 2 parts, - the network and the host identifiers -. There are three ways to split the IPs
into two parts.

Class A nnn.hhh.hhh.hhh

Class B nnn.nnn.hhh.hhh

Class C nnn.nnn.nnn.hhh

where n’s=network identifier, h’s=host identifier

A huge company with very complex internal networks may be allocated a class A address range such as
105.*.*.* . Only the range 1.*.*.* to 126.*.*.* are available for A class addresses. There are very few A
class addresses, and no more are to be allocated, mainly because no one has 16 million computers on their
network!

B class addresses however are common for large companies, allowing a range of around 65000 IPs.
Microsoft and IBM probably have several each. When a B class IP address is allocated, (say
165.103.*.*), the first two numbers identify that company network. The company can decide what to do
with the next two (*’s in this case mean any number), and give any IP in that range to any computer on
their network. B class networks addresses have 128 - 191 as the first number in the IP.

198
 Class C addresses are the third type, giving 254 possible addresses (0 and 255 are reserved). Here, the
first three 8 bit fields are specified, and the remaining field is allocated by the owner of the address. C
class licenses are in the range 192.*.*.* to 223.*.*.*

Networks that are directly connected to the Internet are connected to an ISP via some fulltime connection
(such as a cable or leased line) and the ISP will inform the network administrator of which IP’s can be
used on the network. A router is used to ‘tell computers how to get to a particular IP’. (You may wish to
read about Routing )

ISP’s typically have 1-2 C class licenses, providing 250 to 500 IP’s. When you dial up an ISP with a
modem, you are Dynamically allocated an IP address. This will be in the range of the C class licence that
they own.

Private IPs

Private IP addresses are ranges of IP addresses that are ‘known not to exist’ on the Internet. This means
that no computer on the Internet will be assigned these addresses. These can safely be used in internal
LANs, as they have no direct connection to the Internet. One example of a Private IP range is the
192.168.0.* range that this manual commonly refers to.

The private IP ranges that will not be allocated on the Internet are:

10.0.0.0 to 10.255.255.255 Class A

172.16.0.0 to 172.31.255.255 Class B

192.168.0.0 to 192.168.255.255 Class C

Do not choose an IP range that is not on this list. Also note that 0 and 255 are reserved in any class.

Netmask

Network masks are IP filters. They are used in directing or ‘routing’ network traffic. The mask is related
to whether you are on an A B or C class network. See Routing for an extended explanation.

Localhost

Localhost is a special term in TCP/IP. 127.0.0.1 is the localhost (loopback interface) this is a software
only interface, which is internal to the stack itself, and is not accessible over any interface. It doesn’t
matter what your LAN card IP really is, 127.0.0.1 will always refer to the local computer. This means
that this interface can only be accessed from the computer itself. It is like saying "ME" or "I" in reference

199
to yourself. Any one can refer to themselves like this. "I lost my shoe!", means quite clearly that
whoever said this is in need of another shoe. However, you couldn’t say that your friend lost his shoe,
simply by repeating his phrase, as people would think that it is you who had lost your shoe. TCP/IP uses
localhost in this same way. If a computer wants to talk to itself on a different port, it can say
"localhost:<port#>". The TCP stack looks at this, realises it refers to itself, and directs to the correct port,
without sending anything on the network. An instance of this is when you log on to WinGate with
Gatekeeper for the first time (and always in Standard or Home versions). You connect to localhost:808.
That means "This computer, port 808". Programmers familiar with Objects will realise that this is like
referring to the object reference: ‘this’ (C++/Java) or ‘self’ (Pascal).

UDP

User Datagram Protocol is a ‘Connectionless’ protocol. It uses IP to send datagrams in a similar way to
TCP, except that like IP, and unlike TCP, UDP does not ensure the packets reach their destination. UDP
is used in applications where it is not essential for 100% of the packets to arrive, - this is known as lossy -.
This may sound strange, but often you don’t need all the packets. Think of an image. If you cover the top
half of the image then it is hard to understand the whole picture, but if you cover lots of tiny parts of the
picture, say with dots from a pen, you have to put a lot of dots before you loose the overall picture. Think
of a television. On a windy day, your antenna gets blown around and you have static all over the screen.
It doesn’t stop you understanding the story line. It is the same with radio transmission. You can have
really bad interference before you can’t understand someone talking. Programs that use Video and Audio
on the Internet don’t need to worry about every single packet. But you wouldn’t use UDP to transmit a
program, because if one single packet was wrong (let alone loosing a whole packet) the file would be
useless. It is up to program designers to choose what method is most suitable. While TCP is safer, UDP
is often faster and is becoming more common. It especially favored for ‘Streaming’ or Real-time
applications. These tend to be A/V programs, allowing conferencing or similar. More recently, Internet
applications have used both UDP and TCP. TCP is used for the essential or Control data, while UDP is
used for data for which losses are acceptable.

Encryption

Encryption is the process of making data secure by making it extremely difficult for any one but the
intended user to understand. There are many ways to do this.

The history of encryption goes back a long way, to the time when certain Greeks had reasons to be more
private with some of their writings! Their system involved swapping letters for their alphabetical
successor, - a goes to b, b to c, z to a. While this fooled people for a while, it became obvious that this
system could be read easily if you recognized it. Next they swapped letters with say the seventh letter
afterwards. This was harder to read, but with only 26 possible permutations, really there was only
temporary security (this is used in ROT13). Systems were devised that took the message and put in a
whole lot of other words, with the receiver knowing to read say every 10th word, or any word with a
capital. This is called an obscurity method, and is not true cryptography.

200
In the 2nd world war, some more advanced crypto systems were used on both sides. The best known was
the Enigma machine. This system was the most advanced cryptographic system devised up to that time,
and Germany was so sure it could not be broken that they used it for all their communications throughout
the war. The major weakness of the Enigma was that it could not code a character as its self. It could still
however render many millions of permutations. Unbeknown to the Germans, the Polish underground
broke the code in 1940-41 and for the rest of the war the Allies were able to cryptoanalyse the code. The
Enigma was a ‘rotor’ code, using a set of 5 rotors (only 3 were generally used, 4 for U-boats).

This system was possibly the first example of a cryptographic system where all the security was in the
key. In more conventional systems, it was important to protect the method of encryption, as reversal
could give you the ‘plain text’. The Allies captured many Enigma machines, but they were no use for
decoding, as all the security information was stored in the key. This meant that these heavy machines
were not, in themselves, a security issue. Only the daily rotor settings mattered. These 3 or 4 letter codes
gave the positions for the rotors. A number also told the operator which rotors to put in the machine, and
provided a few more settings for added complexity. (A machine could be setup in a minute, then a
message was typed, with the encrypted text showing on a small display) Essentially, the Enigma machine
was a simple computer!

The Enigma machine caused a lot of interest in cryptography, and as computers developed in the 50’s,
one of their first applications was making and breaking codes. A new age of data-privacy has become
available with academic unclassified research into systems that can provide a typical citizen with security
enough to stall a major government. Adopting the Enigma approach of key-based security was an
important step. Another was the Public key style of systems. These systems use what are called ‘One
way’ algorithms.

The idea of a one-way system is this: given ‘plain text’, a key and a one-way algorithm you can produce
‘crypto text’. Given that cryptographic text and the same algorithm and key, you cannot get the plain text.
To obtain the original text you need a different key (and the same algorithm). This gets around the
problem of telling any one your key. You make publicly available your public key, but this key is only
any good for encrypting data. Once encrypted, the plain text is only available on application of the
‘private key" with the algorithm. This separates cryptographic systems into single and dual key systems.
Single key systems are more secure, but distribution of a key requires a secure channel. If a secure
channel is available, then these can be called shared secret systems.

Gatekeeper uses a shared secret (the key), which is part of the program. For anything to communicate
with Gatekeeper and to be able to negotiate a connection, it must know this secret, and know how to use
it.

Logic and Caching

201
 The common use of the word logic says ‘Something that makes sense’. In mathematics, logic is the study
of true and false. Logic uses operators to combine combinations of trues’ and falses’. Depending on the
order of operators and variables (t/f), a final result of True or False, Yes or No, 1 or zero can be
established.

Common Operators

The most common operators are AND, OR, NOT and XOR.

AND

Say to get a true outcome you need two variables to be true. We call the variables a and b. We can say
outcome c needs a AND b. (True AND False) is equivalent to False.

OR

If an outcome only requires one of a number of variables to be true, we can say they are OR’ed. If we
have 2 variables then if one other or both are true, the result is true. Normal language ‘or’ is actually an
XOR, meaning one but only one.

NOT

Not simply negates the variable. NOT true is false, NOT false is true. Not is sometimes called the
complement.

XOR

This means one or the other but not both. T XOR T is F, T XOR F is T.

How Is This Related To WinGate?

Rules and caching in WinGate are logic based. Look at the ‘What to Purge’ Tab on the caching
properties. You will see a Tree control. This is how WinGate decides what to delete from the cache
when it gets too big, or when a manual purge is initiated. There are two levels in this tree. The lower
levels are the filters, shown as little books. These are OR’ed. Logically speaking, if a file matches one of
the filters, it will be deleted. Therefore if you add more filters, you will delete more files. Any file has
only to match one filter to be deleted; it could match 1, 2, several or all of the filters, but as long as it
matched at least one, it will be deleted. Filters on their own however, do little. To give them structure,
you have to add criteria. These are displayed as document icons. Criteria are AND’ed. This means that
all the criteria in a filter must apply for a filter to apply. Therefore, if a file does not match all the criteria
of a filter, then it is not deleted by that filter. However, if it matches any filter, it will be deleted. It works
like this:

"Does a file match ALL the criteria of ANY filter? " If the answer is yes, then delete.

202
Glossary
ABCDEFGHIJKLMNOPQRSTUVWXYZ

A
Active Service

An active service is a service that is running i.e. listening for TCP/IP requests.

API

Application Programmers Interface. API’s are extensions to programming languages to provide high-
level functions and make them easier to use.

Assumed users

Assumed users are users that are using WinGate services, have not logged in, but WinGate has some
information about them. This information is either MAC address of the LAN card in their computer, or
preferably the Net Bios computer name.

B
Binding

A binding is a ‘requirement to use’. In the case of a service (or protocol) to interface binding, it is a
requirement for the service to use the specified interface. Binding a service to an interface causes the
service to listen on the specified interface. WinGate services bind to all 'non-external' interfaces by
default. Services only listen to interfaces for which they have a binding. WinGate eliminates the chance
of binding to non-existent interfaces by listing only the interfaces actually on the WinGate server.

BSOD (Blue Screen Of Death)

When things go very wrong in Windows (it crashes), the last thing it does is dump the contents of its
memory to a file. A blue screen will appear asking you to contact your system administrator. This screen
is widely known as the infamous "Blue Screen of Death" and there is no recovery from it – you must
reboot the computer.

203
Caching

The WinGate WWW Proxy performs HTTP caching. Caching is the process of storing recently accessed
graphics, HTML documents or other files from the Internet on the WinGate server, to allow faster
retrieval. The cache in WinGate checks documents daily to ensure they are up-to-date, and will get a new
copy of the file if ‘Reloaded’ from a browser. The cache will not store URLs that have a ‘?’ symbol, i.e.
CGI dependent documents.

Cascading

Using one proxy to connect via another proxy is called cascading. It is commonly done when an ISP has
a WWW proxy for its customers to use. To cascade the WinGate WWW Proxy to the ISPs proxy, simply
enter the ISPs proxy details on the Connection tab of the WWW proxy, and select ‘Through cascaded
proxy server’.

CGI

CGI (Common Gateway Interface) is an Internet standard for small programs (called scripts) that reside
and run on the web server. They are most often used to process information sent from the user via an
html form (edit, combo and list boxes on web pages) and are used extensively by search engines etc.

Client Applications

Most applications make outgoing connections with other computers on the Internet to request services e.g.
forward or retrieve email, retrieve a web page or file for viewing etc. These applications are the most
common and include browsers like Netscape and IE, mail and ftp programs; they are called "client
applications". It is also important to realize that a single computer can play simultaneously the roles of
both client and server by running client and server applications.

Connection

A connection can mean several things. At a physical level it means a joining of two devices, by cable,
plug or similar. With Modems, it means a connection made on a successful dialing of another modem.
At an Internet software level it commonly means a channel of communication between the client and
server has been established.

D
DHCP

Dynamic Host Configuration Protocol. This is a service that automatically configures the TCP/IP settings
for the client computers on your network.

204
Dialer

The dialer is software that tells the modem who and when to dial. WinGate has a built in dialer.

DUN

This stands for Dial-Up-Networking, a Microsoft term for the part of the operating system used to get
modems to talk to each other in Windows.

E
Encryption

Encryption is the process of making data secure by making extremely difficult for any one but the
intended user to decode.

Exclusions

In DHCP manual mode, excluded IP ranges allow the administrator to say "Don’t allocate these IP
addresses to any computer. " An exclusion range must lie with in one of the scopes. The IP of the
WinGate server will not be assigned. This is effectively exclusion.

F
Firewall

A firewall is a barrier between your network and the Internet, through which only authorized traffic can
pass. As traffic passes between your network and the Internet it is examined by the firewall which
follows the strict guideline of "whatever is not expressly permitted is denied."

To create the rules by which your firewall allows and disallows traffic, simply select the different Internet
services, IP addresses and hosts you wish to permit or deny.

Most firewalls screen traffic between a company's internal network and the Internet, however firewalls
can also secure one part of a network from another. For instance securing your corporate accounting
department or your network from your subsidiary's network.

FTP

205
FTP stands for File-Transfer-Protocol. This is a method by which files are up/down loaded from the
Internet. Many client applications exist to make the process easy.

G
GDP

Generic (or Gateway) Discovery Protocol. This protocol is an IANA registered Internet standard, with an
assigned system port number: 368. GDP is used for finding or discovering Gateway computers on a
network.

Group

The ‘Group’ is a collection of users. Typically members of a group will share common characteristics,
such as being in the same department of a company. If a rule applies to a group then the rule then applies
to all members of that group. You might have ‘Administrators’, ‘Users’ and ‘Dial-in’ groups, each
allowing different access rights. Users can belong to one, several, all or no groups.

H
Hosts file

The hosts file is a file that resides in the drivers directory of your Windows operating system. The hosts
file maps host names to IP addresses. Hosts files are not necessary now that WinGate has DHCP.

HTTP

HTTP is the Protocol used for World Wide Web browsing, but many other programs are starting to use
HTTP. The WinGate WWW proxy allows HTTP access to LAN users so they can view World Wide
Web sites.

HTTPS

This is secure HTTP. Netscape and other browsers have built in encryption, to make data exchange more
secure. This is commonly used for online purchasing, especially where Credit cards are involved.
Sometimes called SHTTP.

206
IANA

Internet Assigned Numbers Authority. This organization controls the assignment of IP port numbers.
Port numbers below 1024 are referred to as System ports. Developers of server applications that use these
ports must apply to the IANA for permission. Many port numbers are already assigned.

ICMP

Internet Control Message Protocol. This is a very low level extension to IP.

Interface

An interface is a ‘network connection’. That may be a network card, an online Dialer profile, or your
localhost loopback.

IP Number / IP address

An Internet protocol number is a unique identifying Internet address.

IRC

Internet Relay Chat. This is a popular type of application that allows many users to ‘text-chat’ with
multiple Internet users.

ISP

This stands for Internet Service Provider. ISPs are companies that have a connection to the Internet and
provide dial-up or direct connections to customers. Typically ISPs have many modems that customers
can dial up with a PPP account. Dialing up an ISP usually gives you direct access to the Internet. Many
ISPs also offer ISDN T1, or other connections for improved speed.

L
Lease

The length of time for which a DHCP assigned IP can be used. Before the lease expires, the client must
renew the lease with the DHCP server.

Leased line

207
A Leased line is a full-time network connection to the Internet where you are given an IP address (or a
range of IP addresses) for your LAN. There are different methods of connection including ISDN, modem
and Ethernet. Basically they give you guaranteed access to the Internet. Full-time connections are often
called 24/7, meaning 24 hours, 7 days a week.

Licence

WinGate licenses are sold in different versions and counts. There are three versions of WinGate, Home
Standard and Pro. A licence is obtained from a WinGate reseller. WinGate comes with a free built-in 1-
user licence for evaluation. The user counts are : 2 3 6 12 25 50 and unlimited. This number represents
the number of simultaneous access to the Internet via WinGate and it is not the number of computers on
you network. It is common to have a network of over 10 users, but to have only a 6-user licence. This is
a way of limiting Internet use.

Localhost

Localhost is a special term in TCP/IP. 127.0.0.0 is the localhost (loopback interface). This is a software
only interface, internal to the stack itself, and it is not accessible over any interface.

LSP

Layered Service Provider. This system is part of Winsock 2 extensions. It allows chaining of certain
Winsock functions. The WinGate Internet client is a LSP.

M
Multiplexing

Multiplexing is the act of combining two or more data streams in such a fashion that they are individually
usable. WinGate is an Internet client multiplexing server, combining the Internet requests from a group of
client computers and sending them over a single Internet connection to their desired location.

N
NAT

Network Address Translation. This is an alternative method of Internet access to Proxies or WRP. The
WinGate NAT acts as a router but substitutes its own external public IP address for the internal private
addresses of its clients in the packets that it forwards.

208
NIC

Network Interface Card.

Non-Proxy Request:

When a program talks directly to a port as if it were a server without using the proxy protocol (i.e.
method), it makes a non-proxy request. Most proxy servers cannot handle this request type, though some
WinGate services can handle both types of requests.

P
Packet

A data packet is a like a ‘mail parcel’. Think of a package that gets sent in the post. There are a few
things that you must have, -they are the necessary requirements for mailing the parcel. There has to be a
name and address for the recipient, a return address, then you need stamps, and of course the envelope or
wrapping paper. But what you put in the parcel is up to you. You can send (within reason) anything that
will be accepted by the post office. A data packet is very similar to this. You have to supply certain
‘wrappers’ like the "to and from" fields, but what is sent as the payload is up to you.

There are different types of packets used on the Internet and other networks, but all of them use this idea
of a parcel of data.

Ping

Ping is a command available on most TCP/IP capable systems including DOS. It is a command line
program that tests a TCP connection between locations, and gives feedback on the speed of the link.

Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS

[-r count] [-s count] [[-j host-list] | [-k host-list]]

[-w timeout] destination-list

Options:

-t Ping the specified host until interrupted.

-a Resolve addresses to hostnames.

-n count Number of echo requests to send.

209
 -l size Send buffer size.

-f Set Don't Fragment flag in packet.

-i TTLTime To Live.

-v TOS type Of Service.

-r count Record route for count hops.

-s count timestamp for count hops.

-j host-list Loose source route along host-list.

-k host-list Strict source route along host-list.

-w timeout timeout in milliseconds to wait for each reply.

To test for a connection to ftp.microsoft.com, type at a command prompt:

ping ftp.microsoft.com <enter>

From a computer that is directly connected to the Internet you will get a response such as

Pinging [198.105.232.1] with 32 bytes of data

Reply from [198.105.232.1] : Bytes=32 time 40ms

Reply from [198.105.232.1] : Bytes=32 time 20ms

Reply from [198.105.232.1] : Bytes=32 time 20ms

Reply from [198.105.232.1] : Bytes=32 time 30ms

You will notice that the name you typed is converted to an IP address. This is where DNS comes in.
With out DNS you can only ping IP’s.

From a workstation that is connected through WinGate you would get a result similar to

Pinging [198.105.232.1] with 32 bytes of data

Destination host unreachable

Destination host unreachable

Destination host unreachable

Destination host unreachable

(You may get 4 Request timed out message, they are basically the same thing)

210
This indicates that DNS is working. WinGate can’t proxy ping packets, so you cant get the other data
from the ping.

If you get a result like

Bad IP address ftp.microsoft.com

Then your DNS probably isn’t working, so go back and check where you may have gone wrong.

Policies

WinGate policies and rights are available to allow the Administrator to control who can do what
operations with WinGate configuration or access.

POP3

Used for retrieving mail from mail servers. It is a simple protocol that was preceded by the even simpler
POP2, and the positively prehistoric POP. POP3 is used by Eudora and other mail clients to talk to POP3
servers in order to retrieve mail.

Ports

A port can be thought of as a channel of communications to a computer. Similar to telephones, it is like a

company’s PABX that has several lines. Packets of information coming into a computer are addressed
not only to that computer, but to that computer on a specified port. You can think of a port as a radio
channel if you like, but the fundamental difference between a radio receiver and a computer, is that the
computer can listen to any / all of 65000 possible channels at once! A Port is a logical TCP/IP
connection. Any TCP/IP program needs to use a port to communicate with any other program or
Computer. Certain ports are set aside for certain TCP/IP operation, e.g. 80 for HTTP.

Pro

WinGate Pro, Standard and Home are the three license types for WinGate. Pro has all the features of
Standard plus the ability to add Users and Groups, and to do remote administration with GateKeeper. Pro
licenses are available in 6 12 25 50 or unlimited user forms.

Protocol

See Unix. A Protocol is a method by which 2 or more parties can communicate or organize their
communication. Network protocols are very strict. If an application does not follow the agreed style of
communication, then they are unlikely to be understood. Protocol includes such things as greeting a
server, logging on with a name and password, requesting and sending information, and saying ‘good bye’

211
when closing the connection. This is a similar idea as when one writes a letter. First one writes ones own
details, then the recipients name and address, then you greet them with their correct title. Then the bulk of
the letter is written. At the end, a suitable sign off such as ‘your sincerely’ and then a signature close the
communication. Proxy servers typically need one proxy per supported protocol. Examples of Protocols
are POP3 Post office protocol and http hypertext transfer protocol.

Proxy

The normal meaning of the word proxy is someone who does something on behalf of someone else, e.g.
voting by proxy. The Internet use of the word means basically the same thing, in relation to a software
program. WinGate does things on behalf of other software programs. Specifically WinGate makes
Internet requests on behalf of Internet clients to Internet servers.

Proxy Request

This is the action taken when a proxy aware program ‘talks’ to a proxy and asks for a resource.

R
RAS

Remote Access Service. An NT term, more or less the same as DUN. This is the modem controlling
software in Windows.

Resource

A resource is a term used to mean any data item or hardware processing/storage. On a computer,
resources are the memory, disk space, or processing time. An Internet resource is a Graphic, an HTML
page, a downloadable file, live streaming video or any other available data. WinGate has internal
resources, images, used to display the FTP listings in browsers.

Rights

WinGate rights and policies are available to allow the Administrator to control who can do what
operations with WinGate configuration or access.

S
Scope

212
A Scope is a range of IP addresses sharing common properties. The DHCP servers Auto mode will use
the 192.168.0.1
192.168.0.254 scope. A DHCP scope comprises a group of computers running DHCP
clients in a subnet.

Server Application

Some applications ‘listen’ for incoming connections or requests to do something for other computer.
These kind of programs are called "server applications" because they exist to provide services for other
computers that request them. Common examples of these are web servers (serve requested html
documents to clients), ftp servers (serve any requested files to clients) and SMTP/POP3 mail servers
(store and forward email). Note that for a server application to ‘hear’ incoming requests from computers
on the Internet it must be ‘bound’ to a port on a public interface (i.e. a port on the WinGate server).

Service

A service is something that helps or serves you. In WinGate, the proxies are services provided to help
you connect to the Internet.

SMTP

Simple Mail Transfer Protocol is the method used on the Internet for sending mail. WinGate uses a
Mapped link to facilitate SMTP.

SOCKS

SOCKS is a firewall negotiation protocol. WinGate has a SOCKS server built in.

SSL

SSL (Secure Socket Layer) is one of the two protocols for secure WWW connections (the other is
SHTTP). WWW security has become important, as increasing amounts of sensitive information, such as
credit card numbers, are being transmitted over the Internet.

Subnet

A subnet is a group of computers that are directly connected via coax or a hub. A computer with two
network adapters will be on 2 subnets.

213
TCP/IP

TCP/IP is essential if you want to use the Internet. TCP/IP stands for ‘Transmission Control Protocol /
Internet Protocol’. TCP/IP (usually called TCP) is the standard method of sending data on the Internet. It
is based on data packets that have a set format, including to and from addresses, similar to a letter. If you
want to use the Internet or WinGate, it needs to be installed on every computer on your LAN.

Actually TCP and IP are different protocols, but they are so tied up that they are usually referred to in this
way.

Telnet

Telnet is a command line program used to access remote computer and run programs on them. Telnet
was the method by which the Internet was first used. WinGate has a Telnet proxy.

Terminator

A small device used at each end of a coaxial-cabled network. Terminators are essential.

U
UDP

User Datagram Protocol is a ‘Connectionless’ protocol. It uses IP to send Datagram in a similar way to
TCP, except that like IP, and unlike TCP, UDP does not ensure the packets reach their destination.

Unix

Unix is an operating system like DOS that developed originally from a project at Berkley. Really it is a
collection of operating systems that range from being identical to similar to totally incompatible. There
are a number of ‘Official’ or common Unix systems. It is an OS used on typically large computers.
While it is now recognized as being buggy clunky and ugly, it is more flexible and can be more secure
than most other available OS’s. Because of the differences in some systems, certain ‘Protocols’ were
established. These protocols were like an intermediary language that both computers could use so they
would understand each other. These Protocols were a ‘Standard’ that could be published, and anyone
could write a program that could use that protocol, and it would understand any other program that used
that protocol.

URL

Uniform Resource Locator. URLs are a standard format for describing where a resource is on the
Internet. EG a Web URL reads as

214
http://www.qbik.com/index.html

This means use the HTTP protocol, when connecting to the server www.qbik.com to retrieve the
indezx.html document.

Users

WinGate allows you to create user names (e.g. Tim, Ben, Adrien). This gives you control over who is
able to access WinGate, what access they have, see how much data each user has used, and who can
configure WinGate. These are users just as in Windows. There are two default users that cannot be
removed: Administrator and Guest.

W
WGIC

WinGate Internet Client. This control panel applet provides Winsock redirection for the client computer.

WinGate engine

This refers to the program called wingate.exe. This program is the actual proxy server. You cannot see
the engine running, as it is a Windows service.

Winsock

Windows Sockets. This is the part of Windows that provides Sockets for TCP/IP.

WRP

Winsock Redirection Protocol. WRP is the protocol used by the WGIC and WRS to provide Winsock
redirection services.

WRS

Winsock Redirector Service. This is the service in WinGate that provides Winsock redirection.

Advanced WinGate Configuration

215
 This is an advanced section for extra configuration of WinGate. Most of this is done in the registry, with
regedit.exe or regedt32.exe. Care must be taken with any registry operations, as they are not readily
reversible. It is recommended that you back up the WinGate key before making any changes to the
registry.

Registry Keys:

WinGate saves all settings under the key

HKEY_LOCAL_COMPUTER\SOFTWARE\Qbik Software\Wingate\

The key names are very self-explanatory.

Most require little explanation, however we will discuss the details of a few.

Cache Contained here are the settings for the WinGate cache.

Default rights This section contains the defaults rights that are normally accessed via the Default
rights section in GateKeeper. If you accidentally lock out all access to any of the
Access, Edit or Start Stop rights, then deleting the appropriate sub key will cause
defaults to be used, and Administrators will have access as normal.

DHCP (DO NOT TOUCH) Stored here are the current leases allocated by the WinGate
DHCP server. Also stored is the Assumptions key, which stores details of assumptions
based on Computer name.

ErrorStrings The keys contained within each section contained here are the error messages strings
that WinGate uses in the event of an error. You can customize the values held in these
strings (don’t change the names themselves). You may wish to use more descriptive
error messages, messages that tell a user who to contact, or translate then to another
language. These strings can be HTML files, the source its self, WinGate supplies the
header so the body content is all that is required See below for more on this section.

Locations This key holds sub keys relating to each IP based user assumption that you set in
GateKeeper. Filter is the IP address, Internal filter is the IP expanded to contain all the
0’s and ? placeholders for wildcards.

MimeTypes The values stored are in the format

216
 Name <extension-name> Value <mimetype>.

For example the mime type GIF would be stored with the name GIF and the value
image/gif. You can create new mime types so that the FTP in WWW can show more
file types. Simply add the name of the extension with its mime type, and add an icon
to the resources directory. This directory contains GIF files with the filename format
<extension>.gif These GIFs are used as icons for FTP in the WWW proxy. You will
notice common extensions such as .GIF, .jpg, .htm and .doc.

WinGate will look in that directory for <ext>.gif, and use it if it exists. If it does not
exist, the default.gif file will be used, a blank page icon. Directories are shown with
the directory.gif image. You can customize your WWW FTP proxy by adding new
icons such as bat.gif, an icon that could be used to represent batch files. You will
notice that jpg.gif and gif.gif are identical. If you use another image type, you could
introduce a new icon for that type, or make a copy of gif.gif to say img.gif. Netscape’s
mime types are listed in the Options - general - helpers menu.

To add mime types for the WWW Proxy (used where WinGate is used as a WWW
server, and also used for FTP in the WWW proxy), add values to the key

HKEY_LOCAL_COMPUTER\SOFTWARE\Qbik
Software\Wingate\MimeTypes

The name of the value should be the file extension for the relevant Mime

Type. The string value should be the actual mime type.

e.g.

html="text/html"

exe="application/binary"

There are a number of MimeTypes built into WinGate already.

Services All the WinGate Services are listed in this section with self-explanatory titles.

Settings The directories used for Audits, Logging and Caching are configurable in registry. All
changes to the registry settings for WinGate require the WinGate service to be
restarted.

217
 Audit Files:

To change the directory of the audit files:

HKEY_LOCAL_COMPUTER\SOFTWARE\Qbik
Software\Wingate\Settings\

create a value called AuditDirectory and set it to the path you want.

HTTPSearchOrder

This list of keys named ‘FormatX’ contains the list of Site names that will be searched
upon an HTTP requests.

WinGate will:

1. Search for the site ‘%s’, (eg wingate)

2. If it cant find it, it will read the Format0 value and substitute the %s, e.g.
wingate.com (This example will succeed)

3. This process continues till a site is found that matches or there are no more
formats.

The requested site is represented as %s.

Normally the HTTPSearchOrder key will have the following entries:

"Format0"="www.%s.com"

"Format1"="%s.com"

"Format2"="www.%s"

Don’t specify a key for %s as WinGate always checks this first. You can add more
sites. This would be a comprehensive search:

"Format0"="www.%s.com""Format1"="%s.com"

"Format2"="www.%s"

"Format3"="www.%s.net"

"Format4"="%s.net"

"Format5"=" www.wingate.com/Titles?qt=%s"

The last entry will direct the client to the search site if there is no site with any of the
matching formats, and start a search with that keyword.

218
 Log Files:

To change the directory of the service log files:

HKEY_LOCAL_COMPUTER\SOFTWARE\Qbik
Software\WinGate\Settings\

create a value called LogFileDirectory and set it to the path you want.

Cache directory:

To change the directory of the cache files:

HKEY_LOCAL_COMPUTER\SOFTWARE\Qbik Software\WinGate\Cache\

edit a value called CacheDirectory and set it to the path you want.

Notes on Paths

If you want to use a network drive, you must use the UNC name, rather than any
mapped drive letter, as these are only valid once a user is logged on.

\\servername\sharename\path

e.g

CacheDirectory="\\BEAST\C\Cache"

Error Messages

There are four areas where individual error messages can be configured. Below is a list of the keys for
those areas with some examples of individual available error messages that are configurable. You most
likely will not need to change these.

[HKEY_LOCAL_COMPUTER\SOFTWARE\Qbik Software\WinGate\ErrorStrings\HTTP]

"AccessDeniedTitle"="Access Denied"

219
"AccessDeniedDescription"="You do not have sufficient rights for
access to this resource"

[HKEY_LOCAL_COMPUTER\SOFTWARE\Qbik
Software\WinGate\ErrorStrings\SocketErrors]

"HostnameLookupFailed"="Host name lookup for '%s' failed"

"RecvLineTimeout"="Timeout in recvline function"

[HKEY_LOCAL_COMPUTER\SOFTWARE\Qbik
Software\WinGate\ErrorStrings\SOCKS]

"AccessDenied"="SOCKS4 connect to %s:%u failed - denied by SOCKS

server"

"NoResponse"="SOCKS4 connect to %s:%u failed - no response from SOCKS

server"

[HKEY_LOCAL_COMPUTER\SOFTWARE\Qbik Software\WinGate\ErrorStrings\SSL]

"BadResponse"="SSLTunnelling connect to %s:%u failed - bad response

from HTTP server"

Other keys:

Warning: Changing the following keys is not recommended. Windows likes to deal with these services
itself. The preferred method for removing the service is in Uninstalling WinGate.

95 / 98

In the Windows 95/98 versions the following key is used to run WinGate as a service.

HKEY_LOCAL_COMPUTER\SOFTWARE\Microsoft\Windows\Current version\Run
Services\WinGate

Removing this key will prevent WinGate loading at startup. If you cannot access WinGate with
GateKeeper to shut it down, removing or renaming this key and restarting will have the same effect.

220
 NT / 2000

In NT/ 2000 service information for WinGate is stored in

HKEY_LOCAL_COMPUTER\SYSTEM\CurrentControlSet\Services\WinGateEngine

In all versions:

HKEY_ LOCAL_COMPUTER\Software\Microsoft\Windows\CurrentVersion\App
Paths\gatekeeper.exe is used to store the path of Gatekeeper.

HKEY_CURRENT_USER\Software\Qbik Software\GateKeeper is used to Gatekeeper

settings.

Overriding Language Settings with Registry

Once the language pack is installed, WinGate will choose a language based on the Windows regional
settings.

Sometimes the chosen language is not what you want. You can override this using the Windows registry.
Follow these steps:

1. Click ‘Start’ and select ‘Run’

2. Type ‘regedit’ and hit enter (this will load the Registry Editor applet)

3. Go to HKEY_CURRENT_USERS\SOFTWARE\Qbik Software\Settings\Language

4. Double-click on the language key and enter one of the following values:

ENU = English

FRA = French

DEU = German

ESP = Spanish

JPN = Japanese

221
 KOR = Korean

Click here to learn more about language support in WinGate.

Other Information

• If you accidentally delete WinGate configuration information that prevents you from accessing
WinGate with Gatekeeper, do not reinstall WinGate. There are two likely possibilities. You may
have damaged your user account. If this is the case, log on as Administrator and rectify the
information, or delete the user key in the registry. If you have damaged the Admin user, delete the
Admin user in the registry. The other option is that you may have denied access to yourself. Either
log on as an Administrator and reinstate your access, or edit the registry and look at the rules that
may have prevented access to Gatekeeper. Check the Remote control service rules, and System
policies.

• InfoWorld 10/20/97, page 31, in "The Bug Report" article, it mentions a registry fix for those using
Novell NetWare Client 32 software and Internet Explorer 4. It mentions that IE 4 will work with
proxy servers after making this change.

The change is to add the registry key

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Don
tUseDNSLoadBalancing = (REG_DWORD) 1.

• Various command line options are available with the WinGate EXE file.

For a list of these options type:

wingate.exe -?

• One of the available command line options is –clean. This option will stop and uninstall the service,
and delete all registry keys. Only use this option if you are sure you want to lose all your settings. If
you have a faulty installation you can use this option, but you will need to manually reconfigure all
settings upon reinstallation.

Hosts Files

222
The hosts files are not necessary any more as the DNS server in WinGate provides name lookup for the
WinGate server. This section is for interest sake. You can if you like add names to the hosts file. If you
wish to have name resolution for the WinGate server, use the Network name of the WinGate server.

A HOSTS file acts as a local database that tells your computer where to go when it's looking for a certain
address, a kind of "mini-domain name server." Using NOTEPAD, create a new text file. The only entry
in this file should be the IP address and name of the WinGate server, separated by at least one space.

The format is:

IPNUMBER<tab>NAME<enter>

IP Name to use for the WinGate server

It might look like this:

192.168.0.1 wingate

Make sure you press enter at the end of the line of text, otherwise Windows 95/NT may have trouble
recognizing it.

Save your file in the \WINDOWS directory in Windows 95 or the \system32\drivers\etc directory in NT,
with the filename HOSTS with NO file extension (for those who care, the HOSTS file entries do not
replace or interact with Netbios names in any way). To save a file name with no extension in Notepad,
surround the name in quotes, and add a dot to the end.

Usually there is a hosts.sam (sample) file in the same directory as the hosts file, so if you cant find hosts
or you muck up your copy, you can look at the sample to see how they are laid out. Any line with a # at
the front is a comment. You only need the one line (as above) to get resolution for the name of the
WinGate server.

Secure Inter- Office Communications

This is originally from the paper:

Secure Inter-office communications across the Internet using WinGate 2.0a

223
 This document is still applicable to the current version of WinGate. It has been updated to reflect changes
in WinGate since 2.0.

Introduction

Many companies are faced with the problem each year of how best to provide communications for their
core business functions. These functions are typically based around systems such as order-entry systems,
file-server access, remote control, and ancillary communications systems such as email or groupware. A
fundamental requirement for many of these systems is security; file servers and email often contain
sensitive or proprietary information.

Traditionally, for a company with remote offices, Wide-Area Networks have provided the
communications backbone to support these services. These solutions are often very expensive. Leased
lines cost a lot of money to rent particularly over long distances. This communications backbone is often
under-utilized. In many circumstances, expensive systems have had to be developed to circumvent the
use of communications, as the costs have been prohibitive.

Now there is another way. Using the general-purpose encryption and security built into WinGate, a
company can set up secure links between its offices using the Internet as a backbone. This has the
opportunity to revolutionise the way companies do business, drastically reducing costs and increasing the
options for communications. Using Internet and Intranet technologies (which are becoming more and
more prevalent in the corporate environment), WinGate can provide secure file access, secure email,
secure telnet-based order-entry systems, secure database access and much more.

How it works

With the release of WinGate 2 on 28 February 1997, a fundamental change was made. Support was
included for encrypted firewall-firewall communications at a building-block level. Specifically the
Mapping Proxies were given the capability to use encryption.

This provides a communications pipe where the data is encrypted in mid-stream.

224
There are a couple of principles that are useful to explain further here.

Client-server applications.

A client-server application consists of a situation where one process communicates with another to
perform a task. The task is usually requested by the client process, performed by the server process, and
results are sent back to the client process. The communication is often achieved over a connection-
oriented network service such as a named pipe, a TCP connection (i.e. TCP/IP), and a Netbios session or
other. Typical examples of this are telnet servers with terminal clients, SQL Server and SQL workstation,
FTP servers and clients, NFS clients and servers etc.

TCP Connection

A TCP connection provides two-way, reliable, sequenced data transfer using the TCP (Transfer Control
Protocol) normally over the network protocol IP (Internet Protocol). Hence the name TCP/IP. This
allows communications across networks between a process on one computer, and another process on
another computer.

TCP Port

A TCP port is a means of identifying a process within a computer that a TCP connection belongs to.
Every time a TCP connection is made, it is kept track of by the combination of IP address and port
number of each end of the connection. Normally server processes "listen" on a well-known pre-
determined port number (i.e. port 80 for Web servers, 21 for FTP servers etc), so that a client can request
a connection to them. The client process however is allocated a unique port number by the operating

225
system for its end of the connection, and this guarantees the uniqueness of the connection information
used by TCP to provide the TCP connection. In this way, the same computer can make many unique TCP
connections to the same process on another computer, as each connection is unique by virtue of the client
port number.

Mapping Proxy

Mapping proxies can be thought of as a means to extend or project an interface from one computer to
another across a network, thereby making the projected computer appear to be somewhere else (like on
your local LAN). In WinGate, a mapping proxy uses TCP connections to project the interface. How it
works is this: a process (usually a client process) connects to WinGate on a predetermined TCP port
number (configured in WinGate). WinGate then immediately connects to a predetermined location (also
specified in WinGate), and any data that is sent from either client or server to each other, is relayed by
WinGate. In short the client thinks it is talking to the server, and the server thinks it is talking to the
client. WinGate itself takes no interest in the content of the data relayed between the client and the server.

Encrypted Mapping Proxy

The encryption support introduced with WinGate 2.0 allowed for one mapping proxy to connect to
another, authenticate, and allow for the data relayed to be encrypted. Since a mapping proxy is like a
client and a server (as are all proxies), you can specify whether the client communications or the server
communications or both will be encrypted. To set up the secure link you specify on the client side (the
proxy that a client will connect to) that incoming communications will not be encrypted (as the client does
not know the encryption protocol). Communications out will be encrypted, as the mapping proxy will be
connecting to another mapping proxy that will be expecting incoming communications to be encrypted.

The encryption scheme is based on a 128 bit key with a challenge response mechanism, so that at no time
is any information sent that could be used to determine the encryption keys. This requires that a username
and password are known at each end of the link (i.e. in each copy of WinGate) before the communications
will take place.

WinGate Services

The building-block setup of WinGate allows for a high degree of flexibility, and numerous options for
setting things up. A user can create any number of new services and specify all sorts of access controls
and parameters for each one.

226
The other proxy services built into WinGate also have built in support for cascading, or obtaining
connections through other services. What this means is that for example, the HTTP proxy can obtain
access to servers using the SOCKS4 protocol through a SOCKS server, as can the telnet gateway, and the
FTP proxy. This effectively provides a means for protocol conversion to traverse different networking
obstacles (e.g. other firewalls etc).

Examples

The following examples provide a more practical look at some of the typical scenarios, and how things
may be set up to implement them. The following three scenarios are considered:

1. Secure access to file server files

2. Secure access to telnet-based order-entry systems

3. Secure access to corporate web servers

Secure access to file server files

By using the FTP proxy in WinGate it is possible to gain secure access to a remote FTP server. One way
it could be put together is this.

Remote Office LAN WinGate installation

The FTP proxy is configured to connect out via a SOCKS server on interface localhost port 2080.
However, on port 2080 instead of actually running a SOCKS server, you run a mapping proxy, which
makes an encrypted connection to a port (say 2080) on your main office WinGate server.

Main Office LAN WinGate installation

The encrypted mapping proxy on port 2080 maps through to localhost on say port 3080, on which port
you are running a SOCKS server bound to the localhost interface. That’s it.

Now any FTP client on the remote office network can access any FTP server on your main office
network.

227
What is effectively happening, is that using the encrypted mapping proxy, the SOCKS server on the main
office network is projected into the remote office network, and the FTP proxy is using this to gain access
to FTP servers on your main office network.

Note:

In order for this to work, the FTP clients must be configured for PASV mode transfers.

Other options, depending on preference, could be to run the Remote Office FTP proxy on a different port
(you can even create another one specifically for this), and have it specify a non-proxy-request remote
server. Then when your clients want to connect to the server, they do not need to use a proxy-setup FTP
client, they can treat their local (Remote Office WinGate) FTP proxy as the Main Office FTP server.

Secure access to telnet-based order entry systems

Many corporate order entry systems run on Unix computers, and use telnet (or terminal) applications for
users to log in and work on the system

Remote Office LAN WinGate installation

You run an encrypting Mapping proxy on say port 2023 with the remote host being your main office
WinGate server on say port 2023.

Main Office LAN WinGate installation

The encrypted mapping proxy on port 2023 maps through to your Unix computer on port 23. That’s it.
You may also configure your mapping proxy to only accept connections from known locations at certain
times etc.

Now for your clients to work on the server, they simply connect to port 2023 on their local WinGate
server, which connects them through to the mapping proxy on the main office WinGate server, which
decrypts the data, and plugs them through to the Unix computer telnet server.

Secure Access to Corporate Web Servers

228
Many corporate networks now run Web servers (HTTP servers) to disseminate corporate information to
their employees or clients.

Remote Office LAN WinGate installation

You run an encrypting Mapping proxy on say port 2080 with the remote host being your main office
WinGate server on say port 2080.

Main Office LAN WinGate installation

The encrypted mapping proxy on port 2080 maps through to your web server computer on port 80. That’s
it. You may also configure your mapping proxy to only accept connections from known locations at
certain times etc.

Now for your browser to access the corporate web server, they simply type in the URL

http://wingate:2080/

Where WinGate is the name of their Remote Office WinGate server, and they have configured their
browser not to use proxy for host "wingate".

Summary

In short, it is possible to access corporate servers for a number of protocols. Protocols that do not
explicitly support WinGate can be supported through the SOCKS protocol (e.g. by installing an
AutoSOCKS client on the remote office workstations. Client applications can use an encrypted projection
of the SOCKS server on the main office LAN to carry out their client-server communications).

This means that any client server communications that uses exclusively TCP connections for
communications can be configured to be accessed securely using the Internet as a backbone. Thereby
offering not only the saving of leased line rentals, but also safe Internet access as well.

With the removal of the security issue, there is now no longer any major reason why companies need to
avoid using the readily available and cheap bandwidth that is available on the Internet.

229
Dialing in WinGate

The WinGate dialer supports the configuration of multiple phonebook entries. You can configure and
assign access rights to each phonebook entry (called a profile). In this way you can support multiple
dialup accounts, and restrict access to each account.

Note About Dialer Setup:

You should only setup dialing if you use a modem to access the Internet. If you use another method like a
leased line then leave the dialing blank.

When WinGate first starts, there will be no phonebook entries in the WinGate Dialer Properties dialog
box. This means that there is no dialing. You would want this setup where you do not require dialing
features (e.g. you have an Ethernet connection, or leased line connection or other direct link).

If you wish to use a modem on the Wingate server for access to the Internet, you need to configure a
phonebook entry using dial-up networking (called RAS in NT 3.51). WinGate uses the Windows
phonebook entries to dial and log in to your service provider with no user intervention required.

Dialer General Tab

>> Click on the image hotspots for interactive popup help!

230
Allow remote clients to This option enables clients using the WinGate Internet Client to
disconnect disconnect with the dialer from the WinGate Dialup Monitor with
the disconnect button. The button will be disabled if this option is
not set.

Dial Dials the selected dialer profile.

Reset Hangs up the selected dialer profile if it is online.

Important Notes:
• For "Connect as required" you can select any phonebook entry (a valid dialup connection) or "any".
If you select "any" then WinGate will use whichever connection is online or available.
• You MUST configure each profile that you wish to use. To do this, double click on each profile
entry on the General tab. The profiles will not operate correctly until you have done this.
• If you have a WinGate Home license the "Local Sites" and "Settings" tabs will be unavailable.

See also:

231
Dialing in WinGate

Dialer profile configuration

Dialer Local Sites Tab

>> Click on the image hotspots for interactive popup help!

The local sites tab is only available with the PRO and STANDARD licenses of WinGate.

The local sites tab contains a list of site names or IP’s for which you do not want the dialer to make a new
connection. If a connection is requested to a site name that contains any of the words listed in this tab,
then dialing will not occur.

Tips for Local Sites:

232
It is sensible to prevent dialing for ‘localhost’, 127.0.0.1, "wingate" (the Netbios name of your gateway
PC) and the IP of the Wingate server.

If you add words such as "micro", then you won’t get dialing for anywhere on microsoft.com or any sub-
domain of microsoft.com, or microtest.com etc.

If you add a ‘.’ to the list, you will get no dialing for any address at all, as all names contain a ‘.’.

Dialer Settings Tab

>> Click on the image hotspots for interactive popup help!

The Settings tab is only available with the PRO and STANDARD licenses of WinGate.

233
Logging Options

Dialing/hanging up: Logs any connection status change.

Debug: Logs any debug error messages. Only set this if you are having
dialer problems.

Advanced Options

Status check Interval: The Dialer status is checked at this interval. If the dialer is
prone to failing (e.g. if you have a poor connection) this can be
set lower.

Use synchronous RAS dial: Use if RAS problems occur.

Abort after.. This is configurable in milliseconds. This will recover from

dials that do not complete in the specified time.

Wait before redial If your ISP is busy, it is best to have a wait before redialing
takes place.

Dialer Profile Configuration

234
If you wish to use a dialer profile with WinGate, you must configure it with your account details. To do
this, tick the "Enable this connection to be used by WinGate" option and fill in your details. The dialer
profile will not operate until you have done this.

The "Domain" field is only for logging into an NT domain. Most ISPs will not require you to do this, so
you should normally leave this blank.

NT / 2000 Users:

When accessing this menu for the first time, you will notice that the Username entry has been
automatically filled with your NT username. The Password entry will be left blank and you will have to
fill this field in.

95/ 98 / ME Users:

If the Username and Password fields are left blank, then WinGate will use your default login details,
provided that those exist. The default login details are the username and password saved in your Windows
Dial-up settings. If you do not already have default login details, you must fill them in this dialog.

Note on Home Licenses:

235
If you are running a WinGate Home license then the "Access" tab will not be available to you.

Multi-Language Support

WinGate now has Multi-Language Support. This support can be downloaded separately as language
packs. Currently language packs are available for English, French, German, Japanese, Korean and
Spanish and apply to GateKeeper, WinGate Internet Client, WinGate Dialup Monitor and the
documentation (help files).

To install a language pack on your system:

1. Download the language pack installer from www.wingate.com and follow the instructions
provided here

2. If the WinGate engine is running you must restart it before a new language will be used

3. When you launch gatekeeper it will detect what regional settings you have installed for
Windows and use the appropriate language.

Note :

• If you get the wrong language you can manually force the use of a language from the command
prompt.

1. Click the ‘Start’ menu

2. Select ‘Run’ and type ‘gatekeeper language = < language wanted>’. Substitute <language
wanted> with DEU for German, FRA for French, ESP for Spanish, JPN for Japanese;
KOR for Korean or ENU for International English.

• You can also override language settings from registry. Click here to see how in advanced
WinGate configuration.

WinSock 2 Not Installed

WinSock 2 was not found on this computer.

The installer has detected that you do not have WinSock 2 installed on this computer (it comes standard
with Windows 98, NT4 and 2000). If you want to run WinGate Server or Client on a Windows 95
computer you will have to install this. WinSock 2 provides your applications with special network
functionality.

236
 You can download the Windows 95 WinSock 2 extension for free from the Microsoft web site
(www.microsoft.com), or alternatively from the Deerfield web site (www.deerfield.com).

Client or Server

This topic refers to the installer dialog Welcome to WinGate.

This installer can be used to install the WinGate Server or WinGate Internet Client on a computer.
When you run the installer it will attempt to detect any active WinGate servers. If any WinGate servers
are detected, this installer will then default to installing the WinGate Internet Client. However, you can
select either of these options depending on the configuration that you want for your network.

Welcome to WinGate

Welcome to the WinGate 4 Installer !

This program can install either the WinGate server or the WinGate Internet Client on this computer. Most
of the steps of the installation are clearly explained, but you can click on the Help button at each stage for
further detail.

The installer will detect if you have already setup a WinGate server computer on your network (the engine
must be running for this to occur). If one is detected, the installer will default to "Configure this
computer as a WinGate Internet Client". If no one is found (or if the engine is not running), the
installer will default to "Configure this computer as a WinGate Server".

License Info

This topic refers to the installer dialog License Info

The install program provides you with three options:

Install or upgrade WinGate (Enter your WinGate key below)

237
 This will involve entering your "License Name" and "License Key". If you had previously a WinGate 3 or
WinGate 2 license, then the installer will use this (unless you first uninstalled this licensed version). The
License Name is the name under which you registered WinGate. The License Key is the 24-character key
that was emailed to you.

Evaluate WinGate Home, Standard or Pro (free 30 day trial)

Select this option and in the next dialog box, you will be asked to choose between Home, Standard or Pro.
This is a fully functional trial version that will expire after 30 days from the time that you first installed it
on a computer.

Purchase WinGate now (online)

Select this option to visit the WinGate home page where you can purchase a license online. This will
allow you to have a fully registered copy of WinGate that will not expire after 30-days.

Click here to learn more about Wingate Licensing

License Selector

This topic refers to the installer dialog License Selector

HOME STANDARD PRO

This installer dialog will appear if you have chosen to use a 30 day trial license (by leaving the name and
key fields blank). You can select a HOME, STANDARD or PRO license.

We strongly recommend you click on the following links to learn more about the features packed into
each version. This will help you to select the version that best meets your requirements for Internet
connectivity.

• Short description of features in each version

• Overall comparison of HOME, STANDARD and PRO

238
 If you’re still in doubt, we recommend you choose the PRO license. This will expose you to all that
WinGate has to offer your network.

Express or Custom Setup

This topic refers to the installer dialog WinGate Server.

This dialog requires you to select Express or Custom setup. Express is recommended.

Choose to do a Custom Install if:

• You want to choose whether to install any of the WinGate Proxies
• You want to modify proxy settings
• You want to setup any existing Web, Ftp or Mail Servers to work with WinGate
• You want to modify cache settings.

Services

This topic refers to the installer dialog WinGate Server.

Whilst proxies are not normally required if all of your client computers will be using the NAT and the
WinGate Internet Client (our recommended configuration), you may still need to install the WinGate
Proxies for various reasons (e.g. some of your computers are non-Windows and therefore will not run the
WGIC.)

If you are not sure, select all of the proxies. You can disable them at any later stage. If you don't install
proxies now you can easily add them later with GateKeeper.

Selecting Installation Directory

This topic refers to the installer dialog Selecting Installation Directory.

This directory is where the WinGate executables and resource files will be installed. This should be a
local drive on the Wingate server.

The default directory is

C:\Program Files\wingate

239
 The installer will inform you of the amount of free space on your hard disk.

Select Program Manager Group

This topic refers to the installer dialog Select Group. It will only appear if
you are installing WinGate on Windows NT 3.51.

Use this dialog box to select the Program manager group in which the WinGate icons will be created.

Install the WinGate NAT Service

This topic refers to the installer dialog WinGate NAT.

The WinGate NAT (Network Address Translation) Service is a significant improvement on the ability to
share "outgoing" access to the Internet e.g. for client software such as browsers, mail clients, ICQ, games
etc. We recommend that you choose to install it with WinGate 4.0.

NAT enables you to share an Internet connection amongst networked computers running virtually any
application on any platform (including Windows, MacOS, Unix and Linux). It also requires NO
configuration if WinGate DHCP is used.

Click here to learn why we recommend installing NAT

Installation Note:

NAT works at a low level in your system. If you choose to install it, several virtual device drivers will
appear in your network settings. More detail about what changes will be made to your network settings
are provided here. These changes are safe and will be completely undone if you uninstall.

Main/Basic Services

This topic refers to the installer dialog Proxy Services. It is only displayed
for a Custom Install.

Whilst proxies are not normally required if all of your client computers will be using the NAT and the
WinGate Internet Client (our recommended configuration), you may still need to install the WinGate

240
 Proxies for various reasons (e.g. some of your computers are non-Windows and therefore will not run the
WGIC, or you want per service control).

If you have WWW or FTP servers, click the ‘advanced’ button to configure these to work with WinGate.

Note:

If you are not sure, select ALL of the proxies. You can disable them at any later stage. If you don't install
proxies now, you can easily add them later with GateKeeper.

Email options in the installer

This topic refers to the installer dialog Mail Settings. It will only be
available if Custom Install was selected.

You have several options:

• Use WinGate directly when sending and receiving email
• Use an email server on your LAN
• Do not configure WinGate for email.

If you want to use the Standard Configuration:

Type in the name of your email server in the top field. This will usually be the name of your ISPs SMTP
server, e.g. mail.server.com. If you are unsure of your SMTP server name, check what it is configured as
in your email software. If you still can’t find the name, simply enter ‘mail’ or similar in the field and edit
it properly later.

If you leave it blank the SMTP mapping will not be installed (so you may have to add it manually later
on).

If you have an email server on your LAN, click the ‘advanced’ button on the dialog. Further help will be
provided there.

Note:

You will want to check (enable) the ‘Install a POP3 Proxy’ option.

241
News IRC IMAP4 Settings

This topic is only available for a Custom Install.

You can configure WinGate to work with News, IRC and IMAP4 email. To set these up, you need to
know the name of the servers that you want to use. These will be listed in the respective applications.

If you want to use these services, but you don’t know the details for the servers, simply enter ‘server’ or
something similar in each of the fields. If you do not enter anything in the fields, the services will not be
installed.

More on Mappings

WWW Cache Settings

This topic is only available for a Custom Install.

This dialog will configure the WWW cache settings.

The WinGate WWW Proxy provides HTTP caching. HTTP Caching is the process of storing recently
accessed graphics, HTML documents or other files from the Internet on the Wingate server, to allow
faster retrieval the next time they are requested from any LAN computer.

The settings you can alter are:

• Limit the cache size to: – this allows you to limit the size of cached web pages or other files.
• Purge cache when full – this will remove unwanted files based on the purge rules .

Limiting the cache is sensible, as it will stop the cache filling up your hard drive. Purging will delete
unwanted files when the cache is full. We recommend accepting the defaults.

More on the cache

The Log file viewer

This topic is only available for a Custom Install.

242
 Log files are used to provide a complete record of the Wingate servers activity, and therefore provide you
an important source of information. The log file viewer enables you to view these records with your web
browser (with Netscape you will be able to ‘find in page’ (from the edit menu) to search for particular log
file entries.

Note that GateKeeper allows you to configure what the WinGate engine will log (to a degree). You may
also want to use the WinGate Scheduler to setup an automated rollover of log files (to prevent them
becoming too large and unmanageable).

Click on the link to learn more about using the Log file viewer.

Start Installation

Begin the Installation Process.

This step begins the installation procedure. It will copy the appropriate files onto your computer and
make some adjustments to the various system settings (e.g. Windows registry).

If you have chosen to install the WinGate server, then the WinGate engine service will start once the
install is complete. You should open the help file (in GateKeeper) and read through the installation
sections. This will show you how best to configure the WinGate server computer, and provide
instructions for setting up the client computers on your network.

If you have chosen to install the WinGate Internet Client, then your computer will be ready to access the
Internet once the install is complete.

Backup Replaced Files

This topic refers to the installer dialog Backup Replaced Files.

This installation program can create backup copies of all files replaced during the installation. These files
will be used when the software is uninstalled and a rollback is requested. If backup copies are not created,
you will only be able to uninstall WinGate and not roll the system back to a previous state.

This is the recommended option.

243
Known Issues in NT Release

The following table outlines (in more detail) the known issues on Windows NT4 with this release of
WinGate. Until we have a high degree of confidence in a WinGate release, it is not released to the public.
However, there are inevitably problems (normally minor) that we will not discover. For this reason we do
not recommend installing a WinGate release on any production computer.

If you do find any problems with this release then we encourage you to report these (in as much detail as
possible) to bugs@qbik.com. This will help us to make WinGate a better product.

Issue Caution Dangers

Adding/removing a network or Low At present, the NAT service does not properly
dialup adapter breaks the deal with this. Adding/removing network
WinGate NAT service. adapters will break local networking (but not
dialup) from the Wingate server.
Adding/removing dialup adapters will break both
local and dialup networking from the Wingate
server.

NEW Workaround: Run "WinGate NAT

Toggle" from the Start Menu (under the WinGate
Program Group). If the NAT exists it will be
removed without affecting the rest of the
installation.

This will repair any network problems caused by

the installation (by restoring the original network
configuration).

Installing on computers with Low Some beta testers and users have reported that
more than one network card local networking breaks after installing WinGate
may cause problems with NAT. This is not a common problem and
(uncommon); only appears to occur with certain makes/models
of network cards.

NEW Workaround: Run "WinGate NAT

Toggle" from the Start Menu (under the WinGate
Program Group). If the NAT exists it will be
removed without affecting the rest of the
installation.

This will repair any network problems caused by

the installation (by restoring the original network
configuration).

244
 Network and dialup adapters Low All adapters will appear as "Ashley Laurent
will appear with wrong label Virtual Private Networking Adapter". This
with IPCONFIG /ALL at means that you will not be able to tell which
command prompt. adapter is which with IPCONFIG /ALL.

Workaround: Try writing down the IP address

(if one is assigned) of each adapter before
installing. This will help you to tell them apart.

Known Issues in 95/98 Release

The following table outlines (in more detail) the known issues on Windows 95/98 with this release of
WinGate. Until we have a high degree of confidence in a WinGate release it is not released to the public.
However, there are inevitably problems (normally minor) that we will not discover. For this reason we do
not recommend installing a WinGate release on any production computer.

If you do find any problems with this release then we encourage you to report these (in as much detail as
possible) to bugs@qbik.com. This will help us to make WinGate a better product.

Issue Caution Dangers

Can not be installed on Low The install program will NOT allow you to install
Windows 98se when MS the NAT component of this release when MS-
Internet Sharing is installed. Internet Sharing is detected. This is because of a
known issue that is currently under development.

Workaround: You may still do a custom install

that will install everything but the NAT
component (the NAT is causing the issue).

Otherwise, you may wish to remove the MS

Internet Sharing component (you can do this
from Network properties – simply remove the
two MS drivers and restart).

Adding/removing a network or Low At present, the NAT service does not properly
dialup adapter breaks the deal with this. Adding/removing network
WinGate NAT service. adapters will break local networking (but not
dialup) from the Wingate server.
Adding/removing dialup adapters will break both
local and dialup networking from the Wingate
server.

245
 NEW Workaround: Run "WinGate NAT
Toggle" from the Start Menu (under the WinGate
Program Group). If the NAT exists it will be
removed without affecting the rest of the
installation.

This will repair any network problems caused by

the installation (by restoring the original network
configuration).

Installing on computers with Low Some beta testers and users have reported that
more than one network card local networking breaks after installing WinGate
may cause problems with NAT. This is not a common problem and
(uncommon); only appears to occur with certain makes/models
of network cards.

NEW Workaround: Run "WinGate NAT

Toggle" from the Start Menu (under the WinGate
Program Group). If the NAT exists it will be
removed without affecting the rest of the
installation.

This will repair any network problems caused by

the installation (by restoring the original network
configuration).

Network and dialup adapters Low All adapters will appear as "Ashley Laurent
will appear with wrong label in Virtual Private Networking Adapter". This
WINIPCFG.EXE applet. means that you will not be able to tell which
adapter is which with IPCONFIG /ALL..

Workaround: Try writing down the IP address

(if one is assigned) of each adapter before
installing. This will help you to tell them apart.

WinGate Lite License

The Lite License has been re-introduced with WinGate 4.0. The Lite License consists of WinGate Home
(including the NAT service), but will be restricted to sharing a connection between 2 users only (localhost
plus one other). WinGate Lite has a lengthy trial and evaluation period that will be determined by
Deerfield (and may be renewable upon expiry).

The install program can retrieve a Lite License for you from the Internet. Note that this license will
expire eventually but is intended to provide you with a lengthy evaluation period. To retrieve this license
you must have a current online connection to the Internet.

246
 If you do NOT wish to retrieve a license online then proceed (by clicking the "Next" button and leaving
the license field blank) and the install program will issue you a temporary Lite license that will expire
after 7 days.

User Database Integration with NT & 2000

This topic refers to the installer dialog User Database.

If you select to ‘Use NT for User Authentication’ in the install program (recommended) then WinGate
will create users and groups so that it is synchronized with the local NT/2000 user database.

This feature makes it easier to control and manage Internet users by building on the existing user and
group policies configured for NT. By basing your WinGate user and group database you benefit from:
• Having a single place to manage users and groups from
• Strong NT-based authentication of users (WinGate will use NT user names and passwords to
verify the identity of users on the LAN).

Click here to learn more.

Download WinGate Plugins

This topic refers to the installer topic Plug-in Support.

The following powerful plug-ins for WinGate are complimentary for WinGate 4 Pro, Standard and Home
licenses (yet another reason to upgrade from an earlier version).

• ENS (Extended Network Support)

• InterQuick (content-filtering and much more)

Go directly to http://www.wingate.com/plugin (cut and paste this link into your browser). Here you
will find out what extra functionality and benefits these plug-ins provide, and how you can download
them from the Deerfield web site.

247
Advanced WWW Settings

This topic refers to the installer dialog Proxy Services – HTTP Advanced. It
will only be available if Custom Install was selected.

If you enable the "Enable support for existing WWW server" option, you will need to fill the following
fields:

Server: this field must contain the name of the server that you wish to redirect to.

Web Server Port: the port number of the web server application.

WWW Proxy Service Port: the port number that WinGate listens on. The usual WWW proxy port is 80.
This is configurable.

Note : If your web server is running on the same computer as WinGate, then the port numbers must be
different.

Click here for more information about the WWW Proxy Server

248
Advanced FTP Settings

This topic refers to the installer dialog Proxy Services – FTP Advanced. It
will only be available if Custom Install was selected.

If you enable the "Enable support for an existing FTP server" option, you will need to fill the following
fields:

Server: this field must contain the name of the server that you wish to redirect to.

FTP Server Port: the port number of the FTP server application.

FTP Proxy port: the port number that WinGate listens on. The usual FTP proxy port is 21.

Note : If your FTP server is running on the same computer as WinGate, then the port numbers must be
different.

Click here for more information about FTP Proxy

Advanced Email Settings

This topic refers to the installer dialog Mail Settings – Advanced Email
Settings. It will only be available if Custom Install was selected.

249
If you are running an email server on your network, you may wish for WinGate to connect to this instead
of an ISP mail server. Enter the details of your service in the fields provided in the dialog box.

Related topics:

SMTP Proxy Service

SMTP Proxy Set Up

POP3 Proxy

Installation Overview

This guide is intended for people installing this version of WinGate. It is strongly recommended that you
read the entire guide before installing WinGate. This is because WinGate may not work unless you install
it on the right computers and in the right order. Following the steps below will help you to complete a
successful install first time.

We also encourage you to be familiar with our recommended setup before you begin installing WinGate.
This will prevent backtracking later on. Following this you should be ready to install WinGate on your
network. Follow these steps carefully to ensure an easy and trouble free install:

STEP 1 Setting up a working network

STEP 2 Setting up the Wingate server

250

STEP 3 Installing or upgrading to this version of WinGate

STEP 4 Setting up the client computers

What method(s) do you want your applications to use to access the Internet?

(i) Configuring the Client Computers to use ENS (General Purpose Internet Sharing)

(ii) Configuring the Client Computers to use WGIC

(iii) Configuring the Client Computers to use Proxies

STEP 5 Configuring your Internet sharing with GateKeeper

If you already have a working network, you will find this installation simple. This guide is organized so
that you can follow each installation step in the order that you should do it. Once you have completed a
step, click on the toolbar button labeled >> to move to the next required step.

Note:

If you purchased a computer that has WinGate server/client installed already, you will not need to follow
this install process because WinGate will already be setup to work correctly.

STEP 1: Setting Up A Working Network

You must have a working network before you can install WinGate. This network can be Ethernet, Token-
Ring, FDDI, etc. as long as it uses the TCP/IP protocol (if using the WinGate NAT then only Ethernet at
present).

Before beginning to install WinGate, you should test to see that TCP/IP is working properly by ‘pinging’
each computer on your network.

--------------------------------------------------------------------

Click here to return to the install menu.

STEP 2: Setting up the Wingate server

251
The requirements for installing or upgrading to this version of WinGate are very basic. In all cases, you
should setup the Wingate server before you begin configuring the client computers. Note that if you are
upgrading from a working version of WinGate then you should not need to alter your existing setup. We
recommend that you change the Windows network name for this computer to ‘WINGATE’ (this is only
for ease of identification and is not necessary).

Your Wingate server must meet the following basic requirements:

• Windows 95, 98, NT (version 4.0 or later). WinGate versions higher than 3.0.5 will NOT run on
Windows NT 3.51
• If running Windows NT, we recommend you have a minimum of Service Pack 4 installed
• A direct connection to the Internet
• TCP/IP installed
• TCP/IP configured for WinGate
• WinSock2 installed (only if computer is running Windows 95).

Once the computer meets these requirements, you are ready to begin a clean install of WinGate, or
upgrade an existing install to a later version of WinGate. If you already have a working version of
WinGate, then we recommend that you upgrade to preserve your existing configuration.

--------------------------------------------------------------------

Click here to return to the install menu.

STEP 3: Installing or upgrading WinGate

Once the Wingate server is ready, you must decide whether to do a clean install, or upgrade an existing
copy of WinGate installed on this computer. If you have another version of WinGate working already,
we recommend you choose to upgrade (this means you can retain your existing configuration). If you do
not do this you will lose any previous configuration.

• Begin clean install of this version of WinGate

• Begin upgrading to this version of WinGate

--------------------------------------------------------------------

Click here to return to the install menu.

252
Service Pack Requirements
This version of WinGate requires you to have Service Pack 4 or later installed on your WinGate server
computer (this applies to both NT Server 4.0 and NT Workstation 4.0).

See the WinGate Info link (view this from the WinGate program group under the Start Menu) –
‘downloads’ section, to learn where you can get the required patch from.

Direct Connection to the Internet

It is essential that the chosen Wingate server have a direct connection to the Internet. This connection is
the one that will be shared amongst the client computers. It can be a dial-up account held with an ISP, an
ISDN line, a TI leased line or any other method, which provides a computer with direct connectivity to
the Internet.

Note that the performance of WinGate will be directly affected by the speed of the Internet connection
you are using. Therefore, we recommend that you purchase the best connection that you can afford.

Installing TCP/IP on the WinGate server

Installing TCP/IP is one of the most important requirements for using WinGate. Both the Wingate server
and client computers (whether running Windows, MacOS, Unix or Linux) must have this networking
protocol installed. It is usually bundled free with your operating system.

Important Note:

• If you have a working Internet modem setup then you already have TCP/IP installed and
therefore this step may be skipped

• You may be asked for a disk to install the software from. This will be the CD or disk for your
operating system (e.g. a Windows CD).

In Windows 95 or 98

1. Press the Start button

2. Select Settings /Control Panel

3. Double-click the Network icon

4. To install TCP/IP, click the ‘Add...’ button

5. Double-click Protocol, then select Microsoft

253
 6. Select TCP/IP and click OK.

(*** You will be asked to restart your computer **)

In Windows NT4
1. Press the Start button
2. Select Settings / Control Panel
3. Double-click the Network icon
4. To install TCP/IP, choose protocol
5. Click Add
6. Select TCP/IP Protocol and click OK.

(** You will be asked to restart your computer **)

In Windows 2000

1. Press the Start button

2. Select Network and Dialup Connections

3. Double-click the 'Local Area Connection' icon

4. Click on the ‘Install...' button

5. Select Microsoft, then TCP/IP Protocol

6. Click OK.

(** You will be asked to restart your computer **)

--------------------------------------------------------------------

Click here to return to the install menu.

Configuring TCP/IP for the WinGate server

Because of the way WinGate works, you'll need to assign a special (known as static) IP address to the
Wingate server. We strongly recommend 192.168.0.1 and we will refer to that number from here on. If
you are not using this number, or any of the defined private addresses allocated by the InterNIC (the
governing body that allocates all Internet addresses), then you may run into conflict problems. This
should be relatively rare however.

There are five or six sections in this dialog box. We'll deal with each of them in order:

254
IP Address Select the ‘Specify an IP address’ option. Then type in 192.168.0.1 as the IP address.
This is a private address that won't exist anywhere on the Internet, so you can let the
Wingate server use it for the internal LAN only. Next, fill in the ‘Subnet Mask‘ text
area with 255.255.255.0

WINS Configuration

Leave this as is.

Gateway Leave this entry blank even if you intend to use the NAT.

Bindings By default, the Client for Microsoft Networks option is checked. Leave it alone.

Advanced No changes are needed from the default.

DNS Configuration

Select the ‘Enable DNS‘ option. Enter your user name in the Host box. In the Domain,
put in the name of your ISP, like abc.com or partyon.com or whatever.

In the DNS Server Search Order section, put in the IP address of your provider's name
server and press the ‘Add‘ button. It should already be there, so don’t add it again if it is.
To find this number if you have a shell account on your ISP’s server, you can log into
your provider with a terminal program (telnet) and type ‘nslookup’. Your provider's
server will return the DNS address. If that doesn't work, you can use 131.107.1.7 and/or
204.95.111.254 (those belong to Microsoft).

In the Domain Suffix Search Order section, type in the domain suffix (usually the same
as the domain) and press the Add button.

When you're all done setting these options, press the OK button. Then press the OK button in the
Network dialog box. Windows will ask you to reboot. Press ‘Yes’ and wait for your computer to restart.

--------------------------------------------------------------------

Click here to return to the install menu.

255
Installing WinSock 2

Some versions of Windows 95 will not have WinSock 2 installed (it is standard with 98, NT4 and 2000).
You will have to install it before you can install WinGate on this computer. WinSock 2 provides your
applications with special network functionality.

You can download the WinSock 2 extension for free from the Microsoft web site (www.microsoft.com)
or alternatively from the Deerfield web site (www.deerfield.com).

--------------------------------------------------------------------

Click here to return to the install menu.

Clean Install of WinGate

Important Notes About Installation:

• Make sure that your selected Wingate server meets the requirements outlined here

• If you chose to install the NAT (this is part of the typical install) then several important changes
will have been made to your network configuration. To learn more about these, click here

• WinGate has the WGIC client software for Windows-PCs on your LAN. This is installed with
the same installation program as used to install WinGate server. When the installer is run on any
computer, it looks for an existing Wingate server on the same network. If one is found, the
installer defaults to a client installation.

To begin a clean install, answer the question below and then follow the instructions carefully.

What did you run on your network prior to this WinGate version?

• No proxy server or gateway at all

Run the installer program on your selected Wingate server.

256
 • Any other version of WinGate

1. Uninstall the old version. This will effectively lose all of your previous configuration and
settings (if you do not want to lose these we recommend you do an upgrade installation). To
uninstall, select ‘Uninstall WinGate’ from the WinGate program group under the Start
menu

2. Run the install program on your selected Wingate server.

• Another proxy server product e.g. Microsoft Proxy Server 2.0

We recommend removing any other proxy server software, as it is likely to conflict with
WinGate (i.e. services will attempt to run on the same ports). However, this is not absolutely
required – it is possible to run any number of proxy server products on the same computer.

Was the clean install successful?

WinGate runs "invisibly" as a Windows Service. This means it won’t appear as an application on your
desktop. The file WinGate.exe does the actual work without interfering with the usability of your
computer. The big advantage of services is that they run when Windows starts. No user has to be logged
in for services to run, and the operating system does not close them down when a user logs off. The
operation of services in 95/98 is a little different than NT, but the same basic operation is achieved.

When the installer has finished, the following icon should appear in the system tray:

This indicates that the WinGate Engine Service is running and that the install was successful. Icons will
have been added to the WinGate group for stopping and starting this service. Make sure that the WinGate
engine is running before starting to configure the client computers.

--------------------------------------------------------------------

Click here to return to the install menu.

Upgrading to WinGate

257
Bug-Fixes & Minor Enhancements

A range of bug fixes and minor enhancements have been addressed in this WinGate release. You are
encouraged to browse these changes and updates by selecting the "WinGate Info" link from the Start
Menu in the WinGate program group.

If you already have a version of WinGate installed, the installer will automatically detect an upgrade and
select defaults accordingly. An upgrade will replace the original WinGate program and resource files
with updated versions, and configure any new features. It will allow you to keep your existing
configuration, but will make changes to accommodate the new features.

Important Notes About Installation:

• Make sure that your selected Wingate server meets the requirements outlined here.

• If you chose to install the NAT (this is part of the typical install), then several important changes
will have been made to your network configuration. To learn more about these click here.

• WinGate has the WGIC client software for Windows-PCs on your LAN. This is installed with
the same installation program as used to install WinGate server. When the installer is run on any
computer it looks for an existing Wingate server on the same network. If one is found the
installer defaults to a client installation.

To begin upgrading answer the question below, then follow the instructions carefully.

What did you run on your network previous to this WinGate version?

• WinGate 3.0 using DHCP, clients using the WGIC

1. Simply run the install program on your existing WinGate Server computer to upgrade. As
an extra precaution, you may want to backup your WinGate registry settings before
installing (this is optional)

2. You must release and renew the existing TCP/IP configuration on all client computers

3. Restart any client computers. Once the computers restart they should use the NAT for
default outgoing access to the Internet

4. Re-install the WGIC.

• Older version of WinGate (e.g. 2.1 or 3.0) using DHCP, clients using Proxies

258
 1. Simply run the install program on your existing WinGate Server computer to upgrade. As
an extra precaution, you may want to backup your WinGate registry settings before
installing (this is optional)

2. You must release and renew the existing TCP/IP configuration on all client computers

3. Restart any client computers and remove any proxy settings from client applications

4. Configure your client applications to use a direct connection to the Internet and they will
use the NAT for default outgoing access to the Internet

• Older version of WinGate with no DHCP (manual TCP/IP client configuration), clients
using WinGate proxies

1. Run the install program on your existing WinGate Server computer to upgrade. As an extra
precaution, you may want to backup your WinGate registry settings before installing (this is
optional)

2. You may want to install the WGIC

3. If you want to change to using the WinGate DHCP (highly recommended):

a) On your client computers, open networking in the control panel, select TCP/IP and
click on properties. On the ‘IP Address’ tab, choose ‘Automatically Assigned IP’
(this will be assigned by the WinGate DHCP server)

b) You must release and renew the existing TCP/IP configuration on all client
computers

c) You may be prompted to restart the client computers. When they come back online
they will be using the NAT

4. If you want to keep using an existing DHCP server on your network:

a) Set the ‘Router’ option on your DHCP server to 192.168.0.1 or to the IP Address
of the WinGate server

b) You must release and renew the existing TCP/IP configuration on all client
computers

c) You may be prompted to restart the client computers. If your DHCP server is
working correctly, the clients will use the NAT when they come back online

5. If you do not wish to use DHCP:

a) You must manually configure your client applications to use the NAT. The only
change you must make to your existing client configuration is the ‘Default
Gateway’ (on the ‘IP Address’ tab of TCP/IP properties). Change this to
192.168.0.1 or the IP address of the WinGate Server computer on your network

b) Restart the client computers. When they come back on-line, they will be using the
NAT.

259
Was the upgrade install successful?

WinGate will run "invisibly" as a Windows Service. This means it won’t appear as an application on
your desktop. The WinGate.exe file does the actual work without interfering with the usability of your
computer. The big advantage of services is that they run when Windows starts. No user has to be logged
in for services to run, and the operating system does not close them down when a user logs off. The
operation of services in 95/98 is a little different than NT, but the same basic operation is achieved.

When the installer has finished, the following icon should appear in the system tray:

This indicates that the WinGate Engine Service is running. Icons will have been re-added to the WinGate
group for stopping and starting this service. Make sure that the WinGate engine is running before starting
to configure the client computers. Start GateKeeper and check to see that all of your settings (policies,
groups and users, mapped links etc.) have appeared in the upgraded version.

--------------------------------------------------------------------

Click here to return to the install menu.

STEP 4: Setting up the Client computers

The requirements for setting up the clients can vary depending on what capabilities you want them to
have. In all cases, you should setup the Wingate server and start the service before you begin configuring
the client computers.

Before you do anything, you must have TCP/IP installed and working on all of your client computers
(whether they are running Windows, MacOS, Unix or Linux).

• TCP/IP protocol installed properly

• TCP/IP configured for WinGate.

Next, you can decide what individual Internet requirements you have for each client computer. WinGate
enables you to configure them separately, according to their requirements. You can compare each method
by clicking here.

260
We recommend this setup for client computers.

--------------------------------------------------------------------

Click here to return to the install menu.

Installing TCP/IP on the Client computers

Ensure that the WinGate engine is running on the network before you configure the client computers (the
engine will start automatically following a successful install).

TCP/IP may already be installed. If this is the case, you may not need to install it again but you can test
to see that it is working properly. If you later have problems with TCP/IP, remove and reinstall the
protocol using these steps.

Note:

• If you have a working Internet modem setup then you already have TCP/IP installed.

• You may be asked for a disk to install the software from. This will be the CD or disk for your
operating system (e.g. a Windows CD).

In Windows 95 or 98
1. Press the Start button
2. Select Settings /Control Panel
3. Double-click the Network icon
4. To install TCP/IP, click the Add... button
5. Double-click Protocol, then select Microsoft
6. Select TCP/IP and click OK.
(** You will be asked to restart your computer **)

In Windows NT 4
1. Press the Start button
2. Select Settings /Control Panel
3. Double-click the Network icon

4. To install TCP/IP, choose protocol

5. Click Add
6. Select TCP/IP Protocol and hit OK.

261
 (** You will be asked to restart your computer **)

In Windows 2000

1. Press the Start button

2. Select Network and Dialup Connections

3. Double-click on the 'Local Area Connection' icon

4. Click on the ‘Install...' button

5. Select Microsoft, then TCP/IP Protocol

6. Click OK.

(** You will be asked to restart your computer **)

You should repeat this process for each computer that you want to share the Internet with, using WinGate.
Once you have done this, we recommend you test your installation of TCP/IP.
Configuring TCP/IP on the Client computers

WinGate has the ability to configure TCP/IP settings for your client computers automatically. It does this
with the WinGate DHCP server. We strongly recommend you use this approach for many reasons. To
learn more about the benefits of DHCP and what it does, click here.

You may not be able to use DHCP for different reasons. Some of these may be you are using an unlicensed
trial copy (DHCP is only available with licensed copies), you have networked computers that do not
support DHCP, or you already use another DHCP server on your network and do not wish to change it.

To configure your clients, choose one of the following approaches:

• Setup client computers to use WinGate DHCP server to configure TCP/IP.

• Setup client computers configuring TCP/IP manually (i.e. no DHCP enabled).

• Setup client computers to use another DHCP server on your network.

Use WinGate DHCP server to configure clients

This is the most recommended approach. These settings will be the default after installing TCP/IP.
Therefore, if you have just installed TCP/IP the settings should already be correct.

262
In Windows 95…

1. Press the Start button

2. Select Settings, then Control Panel

3. Double-click the Network icon. You'll see a dialog box

4. Select the TCP/IP properties that are assigned to your physical network adapter, NOT
your dial-up adapter

5. Press the Properties... button. You should get the TCP/IP Properties box

6. Select ‘Obtain an IP address automatically’

7. Click OK.

(** You may be asked to restart your computer **)

In Windows NT 4…

1. Press the Start button

2. Select Settings, then Control Panel

3. Double-click the Network icon. You'll see a dialog box. Select the Protocols tab

4. Select TCP/IP then the Properties button

5. Select your LAN card, (not dial up adapter)

6. Select ‘Obtain an IP address from a DHCP server’

7. Click OK.

(** You may be asked to restart your computer **)

In Windows 2000…

1. Click on the Start button

2. Select Settings, then Control Panel, then Network and Dialup Connections

3. Double-click on the 'Local Area Connection' icon

4. Click on the Properties button to view a list of installed protocols

5. Select TCP/IP Protocol

6. Click on the ‘Properties’ button

7. Select ‘Obtain an IP address from a DHCP server’

263
 8. Click on OK.

(** You may be asked to restart your computer **)

When you restart the computer, it will find DHCP during startup. This will allow DHCP to automatically
configure your computer to use WinGate.

If you are not asked to restart your computer, you can invoke DHCP by releasing/renewing the current
TCP/IP configuration. This will have the same effect and the configured computer will now be able to
access the Internet with WinGate (make sure that you have started the WinGate engine).
Use another DHCP server to configure your
clients

If you are already using another DHCP server (and do not wish to change), you must make one important
change. Set the ‘Router’ option on your existing DHCP server to be the IP of your WinGate server. This
will allow your client computers to use the WinGate NAT.

You can test the TCP/IP configuration once this is complete.

Do not use DHCP to configure clients

We do not recommend using this approach as it means you must configure TCP/IP manually. However,
you may choose not to use DHCP for various reasons. In this case, we have listed the changes you must
make to configure the TCP/IP on your client computers to use WinGate.

You'll need to assign some private IP addresses to each of the computers on your LAN. Since you've
already given a private IP address to the WinGate server, you'll need to provide unique IP addresses in the
same subnet to the workstations on the LAN. If you don't know what that means, don't worry. Just
number all your LAN workstations consecutively, starting from 192.168.0.2, then 192.168.0.3 and so on.
For example, since you used 192.168.0.1 for the Wingate server, use 192.168.0.2 for the first workstation,
192.168.0.3 for the second, etc.

Make sure you choose a different private IP address for each computer, and remember which number you
chose.

In Windows:

1. Press the Start button, select Settings, then Control Panel

2. Double-click the Network* icon. You'll see a dialog box

264
 3. If you have more than one network card, select the TCP/IP properties that are assigned to your
physical network adapter (network card), NOT your dial-up adapter (modem) in the ‘Connect
Using’ text box.

4. Press the Properties... button. You should get the TCP/IP Properties box (on Windows 98 this
setting is found on the ‘Gateway’ tab).

*(in Windows NT, select Network & Dialup Connections then click on Local Area Connections)

There are six sections in this dialog box. We'll deal with them in order. Most of these options should be
correct to start with.

IP Address

These changes are important, so follow these instructions carefully:

1. Select the ‘Specify an IP address’ option

2. For the ‘IP Address’ type in a unique private IP address that you have selected for this
computer. IT MUST NOT BE THE SAME AS ANY OTHER COMPUTER ON THE LAN,
INCLUDING THE WINGATE SERVER!

3. For the Subnet Mask type in 255.255.255.0

4. For the default gateway type in 192.168.0.1 (or the IP of your Wingate server). This option
allows the client computer to use the NAT.

WINS Configuration

Select the Disable WINS Resolution option.

Gateway

Enter the private IP address of the WinGate server and add this as a gateway. This means that any data
that is not destined for a computer on your LAN, will be forwarded to the WinGate server.

Bindings

By default the Client for Microsoft Networks option will be enabled. Accept this default setting.

Advanced

Accept the default settings.

DNS Configuration

265
Select the Enable DNS option. Enter the name you want the computer known by (internally - the Internet
cannot see these computers) in the Host box; you can leave the Domain box blank.

In the DNS Server Search Order add the IP number you allocated to your WinGate server (e.g.
192.168.0.1). WinGate acts as a partial DNS server by using the DNS setup on the Wingate server to
look up names for client computers.

Notes:
• Having setup these options, you will probably have to restart the computer.
• It is advisable to create a host file if you are not using DHCP (see creating host files).

You can test the TCP/IP configuration once this is complete.

Configuring clients to use proxies

With the WGIC and NAT there are few occasions where you should need to use a proxy. However, to
use a proxy, you configure the application itself to point at the proxy server (by specifying the IP address
of the Wingate server and port number that the proxy service is running on).

To learn how you can integrate proxies with the NAT click here.

--------------------------------------------------------------------

Click here to return to the install menu.

Configuring Clients To Use ENS (NAT)

All you need to do is set the default gateway to be the private IP address of the WinGate server. This
setting is part of TCP/IP properties and can be configured in several ways:

• Automatically with the WinGate DHCP server (recommended approach)

• Using another DHCP server running on your network (not recommended)

• Manually in the network properties (not recommended).

266
--------------------------------------------------------------------

Click here to return to the install menu.

Changes made by WinGate Installation

After installing WinGate you may notice that several changes have been made to your ‘Network Settings’
on the WinGate Server computer. These settings will not change the normal operation of your system
and will be completely restored to their original state if you choose to uninstall WinGate.

Note for users of WinGate on Windows NT 4:

The NAT for Windows NT consists of two low-level driver files, vprotnt.sys and vminint.sys. These are
placed in the 'drivers' directory under Windows\system32. These drivers will appear in your ‘Network
Properties’ as:

• Protocols (VPCom Protocol driver).

• Adapters (VPCom LAN/Wan wrapper).

The linking and binding required for the NAT is very complicated and we do not recommend changing
these manually.

Note for users of WinGate on Windows 95/98:

In the ‘Network Properties’ the NAT driver is displayed as ‘WinGate NAT Protocol Driver’ and
‘WinGate Nat Port Driver’. TCP/IP may not be listed in your networking setup following an install of
WinGate. It still exists and will function as normal. If you choose to uninstall WinGate, your network
will be restored to its original state.
Test TCP/IP

Ping is a popular utility that is installed as part of the TCP/IP protocol suite. It is used as a quick and easy
method of finding out whether or not another computer is online and responding.

When you "ping" another computer’s IP address (or by domain name), you are effectively sending out the
message "Are you there?" (this consists of four ICMP packets). If the computer is online and able to
respond, it will then send a reply consisting of the same four ICMP packets.

If you try and use the ping command and it fails, you can use Event Viewer to check the event log and
look for problems reported by Setup or the Internet Protocol (TCP/IP) service.

267
Testing TCP/IP on the Local Computer

You can test whether the TCP/IP installed on a computer is working properly by ‘pinging’ the loopback
address on your computer. You do this by typing ping 127.0.0.1 at the command prompt.

If ping fails, verify that the computer was restarted after TCP/IP was installed and configured.

Pinging Across the Network

(a) ‘Pinging’ the Wingate server

At the command line type (replacing 192.168.0.1 with the IP of your Wingate server):

ping 192.168.0.1

The response should be:

Pinging [192.168.0.1] with 32 bytes of data

Reply from 192.168.0.1: bytes=32 time<=10ms TTL=32

Reply from 192.168.0.1: bytes=32 time<=10ms TTL=32

Reply from 192.168.0.1: bytes=32 time<=10ms TTL=32

Reply from 192.168.0.1: bytes=32 time<=10ms TTL=32

This is a confirmation that TCP/IP is working properly. This result should be the same from any
computer on the network. If this is the case, you can then move on to configuring TCP/IP for either the
Wingate server or the client computer.

Note:

If you get:

Destination host unreachable

or:

Bad IP

then you need to check your TCP/IP settings as outlined previously.

268
(b) ‘Pinging’ a Computer on the Internet

Note that this will NOT work for you until you have completed installing WinGate on your network
(because WinGate DNS is required to resolve the URL to an IP address).

At the command line type (or any other reliable web site):

ping www.cnn.com

Any computer on the network except the Wingate server should produce this response, (although the IP
may vary)

Pinging cnn.com [207.25.71.29] with 32 bytes of data

Request timed out.

Request timed out.

Request timed out.

Request timed out.

If you have defined a default Gateway, - with an IP address of 192.168.0.4 in this example, the following
response should be produced (at this stage, you do not need to know about the default gateway.)

Pinging cnn.com [207.25.71.29] with 32 bytes of data

Reply from 192.168.0.4: Destination host unreachable.

Reply from 192.168.0.4: Destination host unreachable.

Reply from 192.168.0.4: Destination host unreachable.

Reply from 192.168.0.4: Destination host unreachable.

This means that WinGate DNS is working properly. The DNS has looked-up the name, and returned the
corresponding IP address for that name. You will never get response times for an external computer on
the Internet (e.g. www.cnn.com) using a client computer behind WinGate.
Release/Renew TCP/IP configurations

If your client computers were already using a DHCP server (WinGate or other) before the installation,
they will have the same settings after a restart (and therefore will not be able to use the NAT, since their
‘default gateway’ setting will not point to the WinGate server computer). In this case, you must ‘release’
the old DHCP settings and ‘renew’ them:

In Windows 95 or 98…

269
 1. Click Start – Run

2. Enter ‘winipcfg’ and click OK

3. Make sure your network card (NIC) is selected (rather than the PPP adapter)

4. Click the ‘release’ button

5. Click ‘renew’ button.

In Windows NT 4…

1. Open the Command Prompt

2. Type ‘ipconfig /release’ to release the old settings

3. Type ‘ipconfig /renew’ to get the DHCP server to configure your client computer with the
new settings (i.e. set the default gateway to point to the Wingate servers).

In Windows 2000…

1. Open the Command Prompt

2. Type ‘ipconfig /release’ to release the old settings

3. Type ‘ipconfig /renew’ to get the DHCP server to configure your client computer with the
new settings (i.e. set the default gateway to point to the Wingate servers).

You may be prompted to restart your computer.

Uninstalling WinGate

To Uninstall WinGate from Your System:

• Choose the Uninstall WinGate icon from the WinGate group in the Start menu OR

• Open Control pane Add-remove software/‘WinGate Server’/Remove.

If you have ‘lingering’ WinGate settings you may wish to look at the Advanced WinGate Configuration.
Installing the WinGate Internet Client

Check the Requirements for the WGIC

270
You should check that any client computer satisfies the following requirements before installing the
WinGate Internet Client. In all cases you should setup the Wingate server and make sure that the
Winsock Redirection Service is enabled and running before you begin installing the WGIC.

The requirements for installing the WGIC are as follows:

• Running Windows 95, 98, NT4 or 2000
• If running Windows 95 then WinSock 2 must be installed
• TCP/IP protocol installed and working properly

Run the WGIC Installer Program

Once your computer satisfies these basic requirements,

you can install the WGIC:

1. Run the WinGate installer program on your client computer (this is the same installer you
used for the Wingate server)

2. The installer should detect the Wingate server on the network and default to the client install.
If it does not, you can select to install the WinGate Internet Client

3. Read the instructions provided by the installer at each step (taking time to read help for
further explanation).

Like the WinGate engine, the WinGate Internet Client runs as a Windows Service. This means that it will
always run in the background, whether you are logged in or not. You can run the WGIC applet for further
configuration from the Windows Control Panel (click Start-Settings-Control Panel).

Configuring Applications to Use the WGIC

Once the installer has finished, your applications will connect to the Internet with NO further
configuration (the Winsock Redirection Service must be running on the Wingate server). The WGIC will
seamlessly provide all outgoing and incoming access to and from the Internet.

If you were using proxies before you installed the WGIC, then you should remove any old proxy settings.
This means that your applications should be configured to connect ‘directly’ to the Internet (rather than
through proxies). If you do not remove these settings your applications will still work but they will be
using the WinGate proxies, not the WGIC.

If you want to use WinGate NAT from the same computer, then additional configuration of the client will
be required. This is minimal and you can click here to find out how to integrate the NAT with the WGIC.

271
--------------------------------------------------------------------

Click here to return to the install menu.

System Messages

What are WinGate System Messages?

Click here to view a list of all system messages & solutions

Click here to see how you can configure system messages

The WinGate System Log is a feature designed to assist WinGate administrators with diagnosing and
fixing network-related problems. It is also used to notify administrators of any key events that occur –
new plug-ins found, a license change, a detected hacking attempt etc.

272
Be sure to press F1 on a highlighted System Log message to load context-specific help for that message
(help is particularly useful for solving any detected network problems and will help you to fix a range of
common problems in minutes).

Messages are also assigned an icon, which denotes the type of message they are:

Any problem that may prevent a WinGate service from starting up or operating properly.

A notification of an event.

A notification of an attempted security violation.

How to Enable System Messages

System log messages are always enabled and will be shown to anyone who is a member of the
"Administrators" group (in WinGate Standard and Pro only). However, the System Log tab must be
enabled (enable this from the View menu by selecting the System Log option).

When a system log event is generated it will be queued and sent to either:
• ALL online administrators or
• If none are online, the next administrator to logon to WinGate.

Note About Message Limits:

Some events may cause large numbers of system messages to be generated (e.g. security violations notice
caused by a SPM attack). The WinGate Engine will queue a maximum of 200 messages (with old
messages being discarded). GateKeeper will display a maximum of 1000 system messages (with old
messages being discarded).

System Message Options

>> Click on the image hotspots for interactive popup help!

273
The following options are available for controlling WinGate System Messages:

View options
• Auto-activate Syslog when event occurs: Turns WinGate system messages on or off.

Display these syslog events

This option defines what syslog messages appear in the System Messages window in GateKeeper.
• Errors: Serious problems that prevent WinGate from operating properly
• Warnings: Alert you to possible problems or security holes on your LAN
• Information: Inform you about any changes to configuration made by WinGate
• Authentication Warnings: Alerts you to any failed attempts to authenticate for a given WinGate
service.

Save these syslog events in the System log file

This option defines what syslog messages are written to the log file system.log.
• Errors: Serious problems that prevent WinGate from operating properly
• Warnings: Alert you to possible problems or security holes on your LAN
• Information: Inform you about any changes to configuration made by WinGate
• Authentication Warnings: Alerts you to any failed attempts to authenticate for a given WinGate
service.

System Message Index

274
Select a relevant System Message and click the link to find a solution to the problem it describes. Click
here to learn more about what system messages are and how they work..

Solution GateKeeper System Message

This service will not operate. No valid interfaces are available for this service. You
may need to change the IP address on this computer.

Performing auto binding (Binding option not valid for this service).

Invalid binding A.B.C.D removed. This interface is no longer available on your

system (IP address changed?). Check service bindings

This connectoid has been deleted from your system, you may wish to check your
dialer settings and/or any services dependent on this connectoid

You do not have a professional version key – other user accounts will not be
available

Administrator account not found - new default account added

User account not found - new default account added

No Remote Control Service found, default service created

Your license is invalid - WinGate has reverted to local user only operation. To
restore operation of WinGate, you must install a valid license.

Your old WinGate license is invalid – previous settings will not be migrated

Migrating previous WinGate 2 settings

No previous settings found, default configuration will be used

SNMP initialization failed - some functionality may not be available.

Restarting main dialer thread - too many critical errors

ICMP initialization failed - no support for ping. Some functionality may not be
available

This service will not operate. There are no private address interfaces bound to this
service, and public address allocation is denied. You may need to renumber your
network

Client PCNAME denied access – non-private address allocation denied

Client PCNAME denied access to server by rule

No acceptable offer can be made to client PCNAME

275
 Service startup complete or partial failure - Check your bindings

Authentication failed - user GUEST on A.B.C.D requested REQUEST

Bad NAT Driver version - This version of the engine is incompatible with the NAT
driver you have installed - please contact product support.

There is no Administrator password, this service is being reconfigured for local

access only.

The ENS driver refused to load. This may occur if the system has failed to boot
several times. Press F1 for further details on possible causes and remedies.

The ENS driver was not loaded. This may mean that it is missing or has been
disabled. Press F1 for further details on possible causes and remedies.

The ENS driver is running out of memory, and has switched off to avoid interfering
with networking. All ENS functions, including the firewall, have been disabled. Press
F1 for further details on possible causes and remedies.

No Valid Interfaces Available for Service

System Log Message Solution

This service will not operate. No Whilst validating the configuration of this service, it was
valid interfaces are available for this determined that no valid interfaces were available to be
service. You may need to change bound to this service. The service will not operate.
the IP address on this computer.

If you think this is an error, then you should consider the

following:
• DNS services cannot be bound to the localhost
(127.0.0.1) interface.
• DHCP services cannot be bound to localhost, nor any
interface that has its address allocated by DHCP
automatically.

276
Binding Specified Invalid

System Log Message Solution

Performing auto binding (Binding Whilst validating the configuration of this service, it was
option not valid for this service). determined that the method of binding (to any one specific
or multiple) was invalid for this type of service.

The service will perform an automatic binding sequence,

and will bind itself to all interfaces that are:

a) valid for this type of service

b) NOT accessible by the internet

This will not normally happen, and should not be a

concern. It is used when new default services are created
in the engine, for instance if you run just the engine
without having performed an installation. Or, this may
occur the first time the engine is run.

No Interface Specified for Binding

System Log Message Solution

Performing auto binding (Binding Whilst validating the configuration of this service, it was
option not valid for this service). determined that although the binding option for this service
specified that a single interface would be bound, that
interface itself was not specified.

The service will perform an automatic binding sequence,

and will bind itself to all interfaces that are:

a) valid for this type of service

b) NOT accessible by the internet

This will not normally happen, and should not be a

concern. It is used when new default services are created

277
 in the engine, for instance if you run just the engine
without having performed an installation. Or, this may
occur the first time the engine is run.

Binding No Longer Available

System Log Message Solution

Invalid binding A.B.C.D removed. Whilst validating the configuration of this service, it was
This interface is no longer available determined that a binding is no longer available, and so has
on your system (IP address been removed from this service binding list.
changed?). Check service bindings

This typically happens when:

• An interface on your system has been removed
• Your IP address has changed. This may happen
frequently if you use a DHCP server on your network
to automatically allocate your IP address.

Invalid Binding For Service

System Log Message Solution

Invalid binding A.B.C.D removed. Whilst validating the configuration of this service, it was
This interface is not valid for this determined that a binding was not valid for this type of
type of service. Check service service, and so has been removed.
bindings.

You may get this message in the DHCP server if you

change your TCP/IP settings from using a predefined IP
address, to automatically getting an address from a server
(using DHCP).

278
Connectoid Deleted

System Log Message Solution

This connectoid has been deleted A previously known DUN (Dialup Networking)
from your system, you may wish to connectoid has been removed from the operating system.
check your dialer settings and/or This is no longer available for use by WinGate.
any services dependent on this
connectoid

For Standard and Pro version users:

Some settings in WinGate may have depended on the

existence of this connectoid, and hence may now need to
be modified. In particular, you should check the following:
• In the Dialer settings, if this connectoid was
specified as the primary or secondary connectoid
• For any services that specified on the Interfaces tab a
specific DUN connectoid to use
• For any TCP or UDP mapping services that had
specific mappings dependent on this connectoid
• Any rules in any service, or the default rules, that had
criterion based on the state of this connectoid.

WinGate Pro License Key Does Not Exist

System Log Message Solution

You do not have a professional Whilst reading the configuration for the user database, non-
version key – other user accounts system users were found. However your license does not
will not be available allow you to use these database entries, so they will be
ignored. This typically happens when you use a Standard
license, but previously had a Professional version installed
where you had added users.

To prevent getting this message you will need to remove

the other users from the registry. These may be found
under:

HKEY_LOCAL_MACHINE\Software\Qbik
Software\WinGate\UserDatabase.

279
 You should delete all but the Users, Administrators, Guest,
and Administrator sub-keys. If you delete any of these
keys by accident the default accounts will be

recreated, but you will lose any previous password and

accounting settings.

Administrator / User Account Not Found

System Log Message Solution

Administrator account not found - A default user account (either the Administrator or
new default account added Guest/User) was not found. This account is required and
has been created.

This may occur if you start WinGate from another

computer, or your settings have been lost.

System Log Message Solution

User account not found - new A default user account (either the Administrator or
default account added Guest/User) was not found. This account is required and
has been created.

This may occur if you start WinGate from another

computer, or your settings have been lost.

Administrator / User Group Not Found

System Log Message Solution

280
 Administrators group not found - A default user group (either the Administrators or Users
new default group added group) was not found. This group is required

and has been created.

This may occur if you start WinGate from another

computer, or your settings have been lost.

System Log Message Solution

Users group not found - new default A default user group (either the Administrators or Users
group added group) was not found. This group is required

and has been created by WinGate.

This may occur if you start WinGate from another

computer, or your settings have been lost.

Remote Control Service Does Not Exist

System Log Message Solution

No Remote Control Service found, Whilst validating the WinGate configuration the Remote
default service created Control Service was not found. This is a required service,
and so has been added.

This may occur if you start WinGate from another

computer, or your settings have been lost.

Invalid License

System Log Message Solution

Your license is invalid - WinGate This means that the license failed checking on startup, and
has reverted to local user only the engine will revert to a single user mode. This single

281
 operation. To restore operation of user can only be the localhost, so no other client computer
WinGate, you must install a valid will have access to the server. If you have client licensing,
license. then clients with valid licenses will still be honored.

Otherwise, you will have to register the software to be able

to use it on your network. If you believe you have a
currently valid license, and you get this message, you will
need to contact your software supplier for a replacement
license.

Invalid WinGate 2 License

System Log Message Solution

Your old WinGate license is invalid On checking your previous WinGate 2 configuration, it
– previous settings will not be was determined your WinGate 2 key is invalid. This will
migrated typically be followed by a message saying you have no
valid license.

Migrating Settings From WinGate 2

System Log Message Solution

Migrating previous WinGate 2 Previous settings for WinGate version 2.x have been
settings found, and are being migrated to work with this version of
WinGate.

Default WinGate Configuration Used

System Log Message Solution

282
 No previous settings found, default No configuration information was found in the Registry.
configuration will be used Default operating configuration will be used.

WinGate Failed To Initialize SNMP

System Log Message Solution

SNMP initialization failed - some While attempting to initialize the SNMP subsystem an
functionality may not be available. error occurred. This could be caused by the following:
1. The file SNMPAPI.DLL could not be found in
your Windows system folder
2. The file SNMPAPI.DLL in your system directory
is corrupted.

SNMP should be installed by default on your operating

system when TCP/IP is installed. However, when you
installed WinGate a copy of this file (named
SNMPAPI.DL_) was placed in your WinGate folder.
Simply rename this file to SNMPAPI.DLL and reboot your
PC. After the reboot, WinGate will load this working
version of SNMP.

WinGate Dialer Restarted

System Log Message Solution

Restarting main dialer thread - too This occurs when too many unknown errors occur in
many critical errors processing dialer requests in WinGate. When this occurs,
the dialer manager is restarted to attempt to recover from
the situation.

WinGate Failed to Initialize ICMP

283
 System Log Message Solution

ICMP initialization failed - no Whilst attempting to initialize support for ICMP (‘ping’),
support for ping. Some an error occurred. This could be caused by the following:
functionality may not be available
 The file ICMP.DLL is not found in your system
directory

 The file ICMP.DLL in your system directory is

invalid of corrupted

Without support for ICMP, a number of features of

WinGate will not operate correctly. In particular the
WinGate DHCP service relies on the ability to verify IP
addresses by pinging. So without this support DHCP may
not operate correctly

No Private IP Interfaces Bound to Service

System Log Message Solution

This service will not operate. There The DHCP service has not been bound to any interfaces on
are no private address interfaces your system that use a private IP address.
bound to this service, and public
address allocation is denied. You
may need to renumber your network
A Private IP address is a special address reserved for use
on private networks, and cannot be used on the internet.

It is strongly recommended that you use private addresses

on your network. The DHCP service in WinGate will
allocate IP addresses based on the IP address of the
network adapter on your WinGate server.

Non-Private IP Allocation Denied

284
 System Log Message Solution

Client PCNAME denied access – This will occur if your WinGate DHCP service is
non-private address allocation configured to ‘Deny allocation of non-private IP
denied addresses’, and a DHCP request came in from a subnet
using public addresses.

By default the WinGate DHCP server will not allocate

public addresses. This is a safety precaution required
especially if you are connected to the internet through a
cable modem provider.

If you use public IP addresses on your local network

(discouraged) then you may need to either:
 Renumber your network to use private addresses. You
can use WinGate's DHCP to help here
 Change the configuration of the DHCP server to allow
it to allocate public IP addresses.

If you choose option 2, you should check the bindings also,

to make sure you do not bind the DHCP service to any
externally accessible interfaces, else you may run into
troubles with your ISP.

Client Denied Access to WinGate DHCP

System Log Message Solution

Client PCNAME denied access to The client was denied access to the DHCP server. If this is
server by rule a client computer on your network, it may not function
properly unless it has access to another DHCP server.
Alternatively, you can change its TCP/IP configuration to
use a manually assigned IP address.

285
WinGate DHCP Can Not Offer Client IP Address

System Log Message Solution

No acceptable offer can be made to The DHCP server could not make an offer to the client.
client PCNAME

Complete or Partial Service Failure On Startup

System Log Message Solution

Service startup complete or partial The service failed to start up completely. This is typically
failure - Check your bindings due to a port conflict where some other software on your
system is using the same port number as the service in
WinGate that failed to start.

Check the related links on dealing with port conflicts, and

running WinGate with other Internet server software.

User Request Failed WinGate Authentication

System Log Message Solution

Authentication failed - user GUEST A user attempted to perform an action that has been denied
on A.B.C.D requested REQUEST by WinGate's policies. You may need to verify that this
was the correct action.

If not, you will need to modify your policy configuration

for the service concerned, or modify the system policies.

286
Incorrect Version of NAT Driver

System Log Message Solution

Bad NAT Driver version - This The driver used to provide NAT services to WinGate is not
version of the engine is compatible with this version of WinGate.
incompatible with the NAT driver
you have installed - please contact
product support.
You should contact your software vendor for an updated
NAT driver.

Must Set Administrator Password for Remote

Access

System Log Message Solution

There is no Administrator password, There was no password found for the Administrator
this service is being reconfigured account. This is a security risk. This service has been
for local access only. reconfigured to be available from the local computer only.

If you wish to keep accessibility to this service from

external computers, you will need to specify a password
for the Administrator account.

ENS Driver Refused to Load

System Log Message Solution

The ENS driver refused to load. The ENS driver has chosen not to load after failing to
This may occur if the system has communicate with the WinGate Engine on previous
failed to boot several times. Press computer starts. This is a safety feature that can enable
F1 for further details on possible your computer to recover from a conflict, which may have
causes and remedies. been caused by the ENS. Some of the common situations
which can cause this are:
• If you have just installed the ENS or a new version of
WinGate then this probably means that the driver is
conflicting with some other software or hardware on
your computer. It may be possible to work around the

287
 problem or to obtain a newer version of the driver.
Contact technical support for further information
• If the ENS has been working previously but the
addition of new hardware or software caused "blue
screen" crashes, then you may want to re-enable the
ENS, especially if you believe the problem has been
fixed (e.g. the hardware has been removed again)
• If there were some incomplete or very rapid computer
restarts, e.g. if you switched it off during the startup or
selected the restart option immediately after it had
started, then the WinGate engine may not have finished
communicating with the ENS driver. Try re-enabling
the ENS driver.

To re-enable the ENS go to the Extended

NetworkingAdvanced Tab.

You will continue to see this message until the ENS is re-
enabled or explicitly told not to load.

ENS Driver Failed to Load

System Log Message Solution

The ENS driver was not loaded. The ENS driver was not loaded by the operating system
This may mean that it is missing or despite apparently being configured to do so. This could
has been disabled. Press F1 for mean that the driver file is missing, or that during a "safe
further details on possible causes mode" start you chose not to load it (its name begins with
and remedies. "QbikHk"). If you believe that the computer started up
normally, then you may want to try re-installing the ENS
driver, or contacting technical support.

ENS Driver Running out of Memory

System Log Message Solution

The ENS driver is running out of The ENS driver has detected that it is running low on the

288
 memory, and has switched off to memory that it shares with other networking components.
avoid interfering with networking. Because exhausting this memory would disable all
All ENS functions, including the networking on this computer, the ENS has temporarily
firewall, have been disabled. Press disabled itself. This means that all NAT and firewall
F1 for further details on possible functionality has been disabled, so you are no longer
causes and remedies. protected from the Internet. Restarting your computer will
re-enable the ENS, although this condition may later recur.

The probable cause of this is a conflict between the

networking "dialects" used by the ENS and other
networking components. Please contact technical support
as they may be able to recommend a work-around, or a
newer version of the ENS may be available. They will need
this information:
• A full configuration report. Please select the Advanced
option from the Options menu and save the report to
disk
• To know how long you were connected to the Internet
before this message appeared (or Internet access ceased
for client computers), and approximately how much
data may have been exchanged.

WinGate Extended Network Support

>> Click on the image hotspots for interactive popup help!

289
Extended Network Support (introduced with WinGate 4.0.1) provides powerful new Internet
capabilities to users on your WinGate network. Built around a virtual device driver, the WinGate network
extensions enable packet-level access to information on the network, which allows WinGate to provide
the following set of powerful new features:

General Purpose Internet Sharing (NAT)

This is the NAT (Network Address Translation) engine, which enables any networked computers to have
direct access to an Internet connection on your WinGate server. It is a breakthrough, in that it requires no
manual proxy configuration or client software, and it can support virtually any operating system with
unparalleled speed.

Support for Multiple Subnetworks (router)

This component allows you to share drives, files and other resources between computers that are
connected but on different subnetworks. If WinGate has an interface connected to each subnet, then it
will "route" both TCP and UDP data between them. * Note that disabling this option will hide the
"Routing" tab.

290

Security Firewall Protection

This is the packet-filtering technology that implements the firewall and security enhancements to the
WinGate server. While earlier versions of WinGate provided proxy-level firewall protection, the packet-
filtering approach provides much more power and protection from attacks (including denial of service
(DOS), ping of death, port scanners, Trojans and many known Windows backdoors).

Extended Network Support - Routing

>> Click on the image hotspots for interactive popup help!

What Does Support for Multiple Sub-networks Mean?

291
A LAN will typically consist of a single sub-network of up to 255 computers. When assigning IP
addresses to workstations, the third octet (i.e. 1.2.3.4) denotes the subnet, and it will be the same for all
computers on the same subnet.

Normally, when a computer has several network cards (each connected to a different subnet), it is able to
send/receive TCP and UDP data with computers on both subnets. However, the workstations on each
subnet will not be able to send/receive any data with each other, even though they are indirectly connected
by the computer participating on both subnets (that computer does so with two network cards). This
happens because that computer is unable to properly "route" TCP and UDP packets between sub-nets, and
as a result, the packets are simply dropped.

WinGate Extended Network Support enables optional routing of TCP and UDP between subnets. This is
often referred to as bridging as it effectively forms a bridge between two or more subnets, allowing
packets to reach computers that would normally not be visible.

What Benefits Does This Provide?

Routing between subnets allows computers on both subnets to share access to servers, services, and files
(thereby extending the capabilities of your LAN). It also allows you to share access to other network
resources such as printers and Internet access. WinGate will route any packets so long as they are TCP or
UDP (it does not matter whether they came from a PC, Mac or Linux workstation).

However, note that only services/devices that communicate using TCP or UDP will be accessible since
these are the only protocols routed by WinGate.

How Do I Enable This Feature?

Routing of TCP/UDP packets between subnets will be enabled by default (so long as WinGate Extended
Network Support is installed and working properly). All you need to do is make sure that the checkbox
‘Support for multiple sub-networks (router)’ option is enabled (this can be found on the General tab of
the Extended Network Support).

Troubleshooting:

I still can’t browse both subnets in Network Neighborhood?

Network Neighborhood will only work for computers running a Windows platform. Furthermore, it often
takes some time for the computers on each sub-network to learn about one another (they do this via UDP
broadcasts so this must be enabled for network browsing to work properly). However, they will do this
automatically at startup so you may want to reboot each computer after enabling this feature (where this is
practical – otherwise do it later).

A final consideration is that you may have added some shares to the computer you are trying to access
(i.e. right-click the C drive icon and select Sharing to define these).

How can I test that the routing is working?

Click Start/Run and type in \\computer\share where computer is the name or IP address of a computer on
another subnet, and share is the name of a defined network share. If routing is working properly then this
command should open a window that allows you to browse the shares defined for this computer.

292
Extended Network Support - Firewall

>> Click on the image hotspots for interactive popup help!

About the WinGate Firewall

The WinGate Security Firewall Protection is a packet-level firewall solution that goes well beyond the
proxy-firewall support in previous versions. This new feature provides complete protection of your
gateway PC (and the rest of your LAN) from network attacks.

Security is applied where it counts – beneath the operating system at the network link layer. From this
location, it is able to protect every service, application and file above it and integrate transparently with
any desktop environment. All TCP and UDP network data is scrutinized well before it is able to reach the
protocol stack, let alone your applications and data. The main features are:

293
 • Extended Security Options. These provide baseline security and protection and can be turned on
or off individually (see options above). Built-in default functionality is always on and protects your
computer against the following popular attack strategies:
Denial of Service (DOS) What Are These??
Trojans What Are These??
Port Scanners What Are These??
IP Spoofing What Are These??
Backdoors (Known OS Bugs) What Are These??

• Advanced Packet-Filtering. Packets can be filtered by protocol, interface and port and either
"allowed", "denied" or "redirected" to another computer (see Port Security)

• Intrusion Logging. You are instantly alerted to any intrusion attempts or suspicious activity with a
WinGate system log message (see Port Security).

What Do You Want To Learn More About?

Click on any of the links below to find out more about network threats and security, and how you can use
WinGate to protect your gateway PC.

What exactly is a firewall?

Who is at risk and from what?

How do I configure advanced port security?

Extended Network Support - Port Security

>> Click on the image hotspots for interactive popup help!

294
About WinGate Port Security

This tab enables users to configure advanced firewall features. Users can configure a default interface
action. This means that for any interface/protocol combination, you can specify a default "action" for all
packets. You can also setup security filters that provide more control over specific port ranges.

WinGate allows you to "Allow", "Deny" or "Redirect" any packets that meet specific criteria (see below).

Default Interface Action(s)

The default port security settings (below) are what we recommend as the safest overall protection from
network attacks.

Connections from Protocol Default Action

(Interfaces)

Connections from the TCP Deny

Internet (external
internal)

UDP Deny

295
 LAN connections to TCP Allow
WinGate PC
(internal
internal)

UDP Allow

LAN connections to Internet TCP Allow

(internal
external)

UDP Allow

You can also create any holes or redirections (using Security Filters) to provide any extra functionality
required on your LAN. Note, when the firewall is enabled, the administrator must explicitly open/close
certain port ranges to cater for any server applications running on the LAN.

• It provides maximum protection from attacks originating from the Internet (by denying all LAN-
bound packets arriving on the external interface)
• It provides maximum flexibility for Internet users on your LAN (by allowing all Internet-bound
packets from your LAN out).

Security Filters

How Do I Create These?

Security Filters provide you with a way of adding more control and flexibility to the firewall without
compromising security. Security filters allow the firewall administrator to:

• Create "holes" in the firewall to allow users on the Internet to access servers running on your LAN.
Note that when you bind a WinGate Service to an interface / port combination that is blocked by the
firewall, WinGate will offer to create a "hole" (we recommend allowing WinGate to do this for
you). Of course when you unbind or delete the service the "hole" will be automatically blocked
again by the firewall
• Deny packets on single ports or port ranges (this closes the ports - by default any unused ports will
be hidden)
• Redirect packets to another computer, either behind or outside the firewall.

Filter rules can be constructed from the following criteria and actions:

Filter Criteria Description

Interface The interface that the packet is arriving on (either internal or

external)

296
 Protocol Whether the packet is TCP or UDP

Port The port on which the packet is attempting a connection (specify a

single port or a range of ports)

Filter Action Description

Allow The packet is "allowed" to pass through to the TCP/IP protocol

stack

Deny The packet is dropped at the front door of your network – this
action renders the port closed/disabled

Redirect The packet can be redirected to another computer or port – this is

much like a traditional WinGate mapped link only it occurs at a
much lower-level

Port Range Configuration

>> Click on the image hotspots for interactive popup help!

297
 Note: WinGate Can Setup Required "Holes" Automatically

When you bind a WinGate service to an interface / port combination that is blocked by the firewall,
WinGate will offer to create a "hole" (we recommend allowing WinGate to do this for you). Of course,
when you unbind or delete the service the "hole" will be automatically blocked again by the firewall.

What is a Firewall?

A firewall may deploy three basic approaches or services to protect your network.

WinGate provides a solid implementation of ALL three types of firewall technology. This affords you
the most power and flexibility with configuring both Internet sharing and network security.

Packet Filtering

The first is known as packet filtering. In their first incarnation, firewalls were little more than specialized
routers. The firewall performed a very basic function - examine each network packet as it comes down the
wire and ensure that the address was appropriate. This is still an integral part of a firewall strategy. Its
benefit is to be very efficient and speedy, since it is just looking at a header and making no changes,
simply allowing or denying entry. It does this by looking at the header and verifying the IP address, the
port, or both. For example, if it finds an IP address in a header that should be an internal IP address, but it
is coming across the public Internet, that is a danger sign. Packet filtering can be either inbound or
outbound. An additional benefit of packet filtering is that it generally requires no knowledge or
cooperation from the user once it is setup.

This is what occurs with the Firewall and Port Security features implemented by WinGate
Extended Network Support.

Circuit Proxy (or NAT)

The second approach is through the use of what is called a circuit proxy (or a NAT – network address
translation). The difference between this and the packet filter is that the circuit proxy forces all
communicators (client or server) to address their packets to the circuit proxy, not directly to the intended
target (usually via the default gateway setting). The proxy gets a packet addressed to it, and then changes
the address to represent the internal target. The performance is not quite as good as plain packet filtering,
although the difference is not much, since you are simply replacing header information. The main
advantage is that it hides the real IP address, which, to someone trying to gain access to your system, is
one of the most important information tidbits.

298

This is what occurs for General Purpose Internet Sharing (NAT) implemented by WinGate
Extended Network Support.

Application Proxy

The third approach uses what is known as an application proxy. The application proxy understands the
application protocol and data, and intercepts any information intended for that application. A mail server
is a good example of this. The application proxy can do such things as authenticate users, instead of
simply relying on IP addresses, and even determine if the actual data represents something that could be
harmful. Of course, this is much more intensive than packet filtering; often users or clients must be
reconfigured to use them, so you lose some of the transparency.

This is the firewall support provided by the WinGate Proxies (e.g. WWW, FTP etc) in all
versions prior to 4.0.1.

Online Security Threats

Who Is at Risk?

Anyone who goes online to the Internet at anytime is exposing themselves to the risk of attack. However,
the risk can vary depending on your method of accessing the Internet.

If you're using a standard modem and dial-in connection to your local ISP, each time you connect your PC
is assigned a different IP address. That makes a hack attack much less likely because hackers need to scan
for random IP addresses and hope that they stumble across your PC.

However, virtually all cable modems use a static IP address, using the same numbers every time, all the
time. To make the matter worse, nearly all of the cable modems in use in the United States use a limited
range of IP addresses. Hack attacks on cable modem are much more likely because hackers keep
attempting to access these common addresses. This risk is also much higher for other permanently online
connections such as ASL and T1 connections.

What Are the Risks?

There is a wide of variety of network attacks available today. The access to information and files with the
Internet has brought advanced hacking tools and know-how to even novice users. This has led to a large
increase in potential security threats and attacks.

Click on any of the buttons below to learn more about common attacks and how WinGate protects you
with it’s advanced firewall and port security features.

Trojan Horse Story

Though not particularly relevant to WinGate, the story behind so-called "Trojan" network attacks is
interesting.

299
The Trojan Horse was an instrument of war used by the Greeks to gain access to the city of Troy. It was
an enormous wooden horse gifted to the people of Troy by their Greek enemies. The gift was accepted
and wheeled inside the fortified city where a huge celebration took place.

However, the horse was hollow and filled with a handful of armed Greeks. In the small hours of the
morning, while everyone was drunk or asleep, the Greeks unsealed the belly of the horse and climbed
down from it. Silently, they killed the Trojan sentries at all the city gates. The gates were then opened to
the bulk of the Greek army.

Trojan network attacks are so-called because they slip into your computer system undetected by
masquerading as something else e.g. a harmless joke email attachment. Once they are on your system
they then enable a hacker complete access to your system.

Connections from (Interface)

An interface is any network connection – it may be a network interface card (NIC), an online dialer
profile or your localhost loopback (the way a computer refers to "itself" on a network).

TCP
TCP (Transmission Control Protocol) provides reliable error-free data transmission between two
computers (called hosts). When applications use TCP a virtual connection is established which allows
data to be exchanged between the two hosts as a two-way stream of bytes. TCP uses IP for addressing
computers on a network (like the Internet or a LAN).

Most end-user applications like web browsers, email and ftp clients use TCP.

UDP
UDP (User Datagram Protocol) does not guarantee reliable data transmission, and is capable of sending
data to multiple destinations and receiving data from multiple sources. TCP uses IP for addressing
computers on a network (like the Internet or a LAN).

Applications that stream video and audio will do this over UDP. UDP broadcasting is also used
extensively by the OS to find out about other computers on the network and what services they are
offering (e.g. DHCP, DNS) etc.

Port
When using TCP or UDP an application/service must specify which port they intend to communicate on
with a computer at any given IP address. A port can be either open or closed (or in hidden/stealth mode
with the WinGate firewall).

Port numbers are divided into 3 ranges:

 Well-known: 0-1023 are reserved for well known services (like FTP (21) and HTTP(80) for
instance) – you can use these ports in any application but you are not advised to.

300
  Registered: 1024-49151 are registered which means they can be freely used by ordinary user
processes or programs.

 Dynamic/Private: 49152-65535 are reserved for use by the OS.

Relay UDP broadcast packets

This option specifies whether or not you want the WinGate server to route UDP broadcast messages
between subnets. If this is disabled then network browsing between subnets will not work (as computers
on different subnets will not know anything about each other).

Typically UDP broadcasts are used for:

 telling other computers on the subnet about your computer at boot-time (like NETBIOS name, IP
address, OS, and any important services running).

 finding out about other computers on your network (e.g. who is the PDC or who is running a
DHCP server).

We recommend you have this option turned ON.

Enable support for multiple default routes

When a dialup connection is made, another default gateway is added to the router. This default gateway
is assigned a higher priority to the normal one and will cause problems with routing between subnets.
This is because packets addressed to the other subnet will be sent to the higher priority default gateway
(which is the dialup adapter connected to the Internet).

When this option is enabled WinGate will intercept any packets addressed to private IP’s and re-route
them to the original default gateway (this way they will reach the destination subnet successfully).
Consequently, if this option is disabled, routing between subnets may not work when the gateway
computer is online via DUN.

Port Cloaking
When a port (or range of ports) is open, WinGate will allow any packets directed to such a port to be
further processed by the TCP/IP protocol stack which will then pass it on to the OS or application if
everything checks out. Even if nothing is listening on that port, the OS will normally respond to a
connection request no matter what; basically, if there is nothing listening, it will send back a TCP RST
packet (connection refused).

If the OS responds with a TCP RST packet and you have "Cloak connection failures" or "Allow with
cloaking" selected, then WinGate will intercept the TCP RST packet and discard it. This means that if
you open up a range of ports but no application is listening (e.g. web or mail server) then there will be NO
response (as opposed to the OS explicitly telling the client that nothing is listening here via the TCP RST
packet). Port scanners will not see or hear anything from that port!

If there is something listening however, then you would be able to connect to it, since you have that port
range opened up.

Disable network name broadcasts to the Internet

This option specifies whether or not you want the WinGate server to relay UDP broadcast messages to
other computers on the Internet.

301
Typically UDP broadcasts are used for:

 telling other computers on the subnet about your computer at boot-time (like NETBIOS name, IP
address, OS, and any important services running)

 finding out about other computers on your network (e.g. who is the PDC or who is running a
DHCP server).

We recommend that you have this option turned ON.

Allow users to ping this computer from the local

network
Users on your LAN will be able to "ping" the gateway computer. Typically, they will want to do this to
check that it is online or still responding when network problems occur.

What is "Ping"?

Allow users to ping this computer from the

Internet
Users on the Internet will be able to "ping" the gateway computer. Though in most cases this is harmless,
certain attack strategies rely on the ping utility to bombard a system with ICMP response packets. This
type of attack is known as the "Ping of Death" and will not work when ping is disabled.

What is "Ping"?

Discard spoofed packets

If this option is enabled, WinGate will check to ensure that the source IP address in the packet header is
really the computer that made the request. If it is not, the packet will be discarded. Learn more about this
attack strategy by clicking the link below.

What are "spoofed" packets?

Port Range Specification

Connections from: Can choose "Connections from the Internet" (external
internal), "LAN connections
to WinGate PC" (internal
internal), "LAN connections to Internet" (internal
external).

Protocol: Can select TCP, UDP or both (these are the two transport protocols used for IP);

From Port: Anything from 1 to 65000;

Description: This will enable you to identify the filter on the "Port Security" tab.

Action
Allow Packet: The firewall will allow any packets that meet the criteria (specified in the port range
specification) to pass through. This means that the packets will be passed through to the protocol stack
that is then handled by the operating system.

Drop Packet: The firewall will NOT allow any packets that meet the criteria (specified in the port range
specification) to pass through. They are simply dropped before they can get anywhere near your system.

302
Redirect Packet to IP address: This action is a way of implementing a low-level mapped link i.e. the
firewall will redirect any packets received to another computer. This computer may be on a private IP
address on your local network (behind the firewall) or somewhere on the Internet with a public IP address
(outside your firewall). If you do not specify an override port then the firewall will redirect the packet to
the same port that it received it on.

Notify When This Range Is Accessed

When this option is enabled WinGate will create a System Log message. This message will notify the
next administrator who logs into GateKeeper of the potential attack.

Firewall Modes
• Low: Allows servers to run behind firewall

Allows Telnet, WWW, FTP, SMTP, NNTP, POP3 servers

Allows TCP & UDP 1024-4096

Allows TCP & UDP on internal interfaces

• Medium: For games and Internet applications

Allows TCP & UDP 1024-4096

Allows TCP & UDP on internal interfaces

• High: Denies all connections from the outside

Allows TCP & UDP on internal interfaces

• Custom: For advanced users

Only available with WinGate Standard & Pro Licenses!

This lets you add custom configuration options on top of a low, medium or high mode. First select a
mode and save GateKeeper settings. Then select "custom" and add special filters on the Port Security tab
of the Network Extensions dialog (IMPORTANT: any custom settings you add will be applied along with
the settings of the last mode that was selected).

Enable/Disable General Purpose Internet Sharing

Enables or Disables General Purpose Internet Sharing (NAT). When this option is disabled, any client
computers using this method to access the Internet will be unable to do so.

Enable/Disable Routing Between Multiple-

Subnetworks
Enables or Disables WinGate’s ability to route data between two subnetworks (NOTE: this feature will
only work when the WinGate computer is connected to two subnetworks – normally this will be via two
network cards).

303
Enable/Disable Extended Network Driver
Enables or Disables ALL WinGate Extended Network features. When this check box is disabled, the
following features will NOT function: General Purpose Internet Sharing (NAT), firewall and port
security, and routing between multiple subnetworks.

History Plug-In Components

Note: This topic is out of date but has been retained for historical reasons.

Click here to access information on the ‘Traditional WinGate logging’ plug-in.

Currently, this feature is in BETA. For the time being, Qbik are only releasing a "Traditional WinGate
Logging" plug-in (this replicates existing functionality in a plug-in style component but also adds some
new filtering capabilities).

This dialog shows any registered history plug-ins and is displayed by selecting ‘History Options’ from the
‘View’ menu. It displays the Name (title of the history plug-in), CLSID (Class ID of the history logging
component) and Viewer CLSID (Class ID of the history viewing component).

Note that history plug-ins will be divided into the following separate components:

304
  A logging component (does the actual recording of activity – may be a database, a text file or
whatever the plug-in author chooses).

 A viewing component (displays the data stored by the logging component – may be a graph,
report, spreadsheet or whatever the plug-in author chooses).

Clearly both components will need to share a common data structure in order to work together seamlessly.

Click here to learn about Traditional WinGate Logging

History Plug-In: Traditional WinGate Logging

Logging configuration allows you to configure the "Traditional WinGate Logging" plug-in component.
The overall purpose of this plug-in is to replicate the functionality of WinGate logging/history in 3.xx
versions in order to enable a totally open plug-in architecture. However, this plug-in adds some
interesting new features that extend traditional logging/history implementations.

Logging Database Module Settings

305
 Experienced WinGate users will notice that most of these options are the same as "History Options" in
previous 3.x versions. All of these are self-explanatory.

However, ‘Database Filter Settings’ is a new feature that allows you to control what is recorded and
what is ignored – this lets you stop WinGate from filling up your hard drive with useless data and from
doing unnecessary work. Users are able to construct "filters" (based on useful criteria) that tell WinGate
what activity, events and other information to log. Filters are further discussed below.

View Filter Settings

The viewer component displays the data that is logged. The basic implementation in "Traditional WinGate
Logging" allows you to construct "filters" which determine what is displayed. This is useful as it allows
you to locate and display specific history data – this may help to troubleshoot specific events or track
undesired network activity to a source. There are two types of filter: Simple Filter and Free-Hand
Filter.

(1) Simple Filter

This feature makes it easy to create filters using any of the history criteria available (these can be selected
from the combo-box on the left). The filter displayed above is very basic – it will only display the history
for the user "matt". Note that history data for all other users still exists but has been filtered out – for
example, you may be investigating a certain user activity.

The results of this simple filter are displayed below (as viewed from the ‘History’ tab).

306
(2) Free-Hand Filter

This feature is for advanced users. It is extremely flexible and versatile, allowing the user to combine any
of the available history criteria and values into logical statements (using Boolean operators like OR, AND,
NOT etc).

Some examples follow:

username="bob" will display all items where "bob" is the user

username="t?m" will display all items where the first letter of the username is t and the third and last
letter is m, e.g. tim, tom etc.

username<>"tim" AND username<>"b??" AND (compname <> "b*" OR IP <> "192.168.*")

(((type<> DNS) or (type<>RCS)) = FALSE) AND (bytesin > 4096))

307
Displays only sessions with traffic over 4k (excluding RCS and DNS sessions) for users with 3 letter
names not starting with "b" (e.g. excludes ben, bob) or equal to "tim". Also excludes sessions from any
computers that have a Netbios name beginning with "b" or an IP address in the 192.168.*.* range.

Braces

May be used to group expressions.

( : Open bracket

) : Close Bracket

Comparison Types

< : Less than

> : Greater than

= : Equals, is equal to

== : Equals, is equal to

<= : Less than or equal to

>= : Greater than or equal to

AND : BOOLEAN and, i.e. both operands must evaluate TRUE

OR : BOOLEAN or, i.e. at least one of the operands must evaluate TRUE

XOR : BOOLEAN xor, i.e. one and only one operand must evaluate TRUE

ISU : String contains (non-case), i.e. TRUE if operand 1 contains operand 2

IS : String match, case-sensitive

Operators

Operators can be used in expressions where appropriate

+ : Numerical addition and string concatenation

308
- :

* : Multiplication in numerical expression, e.g. 3*5

/ :

Data Types

Constants:

TRUE : Evaluates TRUE

FALSE : Evaluates FALSE

<Type constant> : See below

Wildcards:

* : matches any string 0 or more chars long

? : matches any single char

Strings:

a string can be constructed as so

"string contents"

Strings can contain wildcards

Strings can be concatenated

"str" + "ing"

Number types:

integers : i.e. {...,-2, -1, 0, 1, 2, ...}

real numbers : e.g. {1.2, 3.9, -4.6, etc. }

309
Available Variables

All string values must be enclosed in "".

USERNAME :String

This is the Netbios username (may not be known) of the user who created the session. Will appear as
blank in the database if the user name is unknown

WGUSERNAME String

This is the WinGate username (may not be known) of the user who created this session. Will appear as
blank in the database if the user name is unknown

COMPNAME : String

Netbios network computer name (if known)

IPNUMBER : String

IP number of client

APPNAME : String

Name of application creating this session, if known from WRP

DESCRIPTION : String

Activity description of session

DURATION : Integer

310
Time in seconds this session lasted

BYTESIN : Integer

Data in bytes that were sent to the client

BYTESOUT : Integer

Data in bytes that were sent from the client

TYPE : Predefined constant

A protocol method, one of:

NONE, RCS, DNS, WRP, PLUG, HTTP, FTP, POP3, SMTP, NNTP, TELNET, REALPLAYER, VDO,
SOCKS4, SOCKS5, XDMA, VPN

Maximum Database Size

This allows you to specify a maximum size for the database. If the limit you have set is reached, the plug-
in will remove the oldest 20% of the database records. This provides additional space for storing new
history.

User Properties Control

311
HTTPS
This is secure http. Netscape and other browsers have built in encryption, to make data exchange more
secure. This is commonly used for online Internet purchasing, especially where Credit cards are involved.

Cache Size
Enable this check box to limit the total cache size. When the cache reaches your specified limit it will
remove the least used 20% (to allow space for caching newer content).

Cache Size Guidelines:

These indicate the minimum recommended cache size:

• 1-5 users, with 56k modem: 30 Mb
• Up to 10 users, modem or ISDN: 40 Mb
• More than 10 users with fast connection: 50 Mb

Useful Hints:
• Remember that caches improve in efficiency the higher the data through put. If your cache is small,
increasing your cache size by a third can make them 100% more efficient.

312
 • With 'What to cache/purge’ options, you can dramatically cut bandwidth and speed your access.

Purge When Full

Choosing this option will allow clearing of unwanted files (specified in what to purge) when the cache
gets above the specified maximum.

Enable Cache Lookups

Check this if you want to be able to get cached files from the local cache. If this is not selected, every
document requested will be down loaded from the Internet.

The only reason to turn this off may be if you are having problems with a document that you think may
have been updated.

Enable Additions to Cache

Self explanatory. With this option checked, any file that is downloaded from the Internet will be saved in
the cache directory. This is definable depending on the 'What to cache' options.

Rechecking HTML
This is the wait till 'recheck' interval. When a file is down loaded, WinGate will wait this long before
checking to see if there is an updated file. If there is, is will be downloaded and sent to the client. If not
then the cached version will be sent, and WinGate will check next time the file is accessed.

Rechecking Other Files

As with HTML files.

Graphics or FTP files don’t tend to change very often, and usually have discrete names. You may wish to
set a higher refresh interval.

Rebuild Index File

Check this button to make WinGate read cache index file, and remove entries for files that have been
deleted from the directory.

Use this if you have done a manual deletion of files, and you want to update the file.

Purge Now
This button initiates a purge of the cache

Cache Everything
This is the default, and is the best option for most people. CGI requests (that have a ? in the URL) will
never be cached.

Specify What To Cache

This is the option to use if you specifically want to control what gets cached and what doesn’t.
Remember, if you select this, you have to add filters to cache anything.

Add Cache Filter

Clicking this will put a new 'Filter book' in the tree control.

313
Points to remember:
• Filters are 'OR'd' meaning if a request passes any of the filters then it is cached. The more filters
you add, the more you will cache.
• You can name the filters by clicking on them. This is a very good idea if you have complex filters.
You can add a criterion to a filter with a right click. Criteria are 'AND'ed', meaning they all have to
apply for a filter to apply.
• To add access, add a filter.
• To cut access, add criteria.

Add Cache Criterion

Adding criteria reduces the scope of its parent filter. You have a number of options you can test by.
These are explained in Assigning Rights.

Add Purge Filter

Clicking this will put a new 'Filter book' in the tree control.

Points to Remember:
• Filters are OR'ed meaning that if a request passes through any of the filters then it is purged. The
more filters you add, the more you will purge.
• You can name the filters by clicking on them. This is a very good idea if you have complex filters.
You can add a criterion to a filter with a right click. Criteria are 'AND'ed' meaning they all have to
apply for a filter to apply.
• To purge more, add a filter.
• To purge less, add criteria.

Add Purge Criterion

Adding criteria reduces the scope of its parent filter. You have a number of options you can test by.
These are explained in Assigning Rights

Delete
This will delete the selected item.

Apply - Cancel - OK
Apply puts the changes made into effect and keeps the current dialog open.

Cancel exits the dialog and ignores changes.

OK puts the changes made in to effect and returns to the previous (or next) dialog.

314
Accept Connections on Port
This is the port number on which this service will accept connections. Only one service can listen to any
one port, so these must be unique. Each proxy has a default port and the glossary has a guide to reserved
port numbers.

Bind To Specific Interface

Bind to specific interface allows you to ensure that a service is only accessible from a certain IP address.
This IP address is an IP of the Wingate server. You can prevent any external access (from outside your
LAN) to WinGate services by binding to the address of your LAN card (e.g. 192.168.0.1). When
WinGate first starts, it will have a binding to 'localhost'. See the glossary for explanation of this term.
Only the Wingate server can access with GateKeeper if this binding is left in place.

Service Must Start

This option forces the service to start even if the port number is being used. This is useful if another
application might be using that port, it means that WinGate can gain control when the other app stops.

Service Name and Description

Service names are a way to identify each service. They must be unique and are more useful if they are
descriptive. Defaults are provided.

The description allows a longer explanation of the service. This is optional.

Back and Forward

These mini buttons allow you to scroll across the dialog, so that you can access other tabs unable to fit
inside the display-width of the dialog.

Timeouts
Timeouts are essential. Their function is to keep an eye on all the WinGate sessions, and if any of those
sessions are not active in the specified time, they are terminated. 60 seconds is the default. This time
period has no bearing on the hang up time for any modem connection. It is essential to remove the
timeout on the remote control service, if you wish to stay logged in for any length of time.

Policy Recipients
Users or groups are listed here, along with restrictions. Each list is relative to the right selected from the
drop box.

Add a Recipient
This will let you add a recipient, and specify the restrictions.

Remove a Recipient
This removes the selected recipient.

Redirect Client
WWW Service Only

This option will 'inform' the client it should talk to the mentioned server URL. This is only available on
the WWW proxy. Similar to the Pipe, but the client is aware of the source of the files sent.

315
Serve From Local Disk
WWW Service Only

This causes WinGate to act like a web server. It will use the specified directory as the root. This can be
used as an intranet, or as a web site. On an intranet, typing ‘http://wingate/’ in a browser would send you
the directory information from the directory you specify as the root(assuming there is a computer on your
network named WinGate).

If there is an index.html, this file will be sent to the client.

Perform Reverse Name Lookups

Selecting this option will cause WinGate to convert IP numbers used in requests to Domain names. This
option improves cache usage as if that name exists in the cache then it can be used directly rather than
reloaded.

Use RFC1929 Authentication

This option is available for those who have secondary SOCKS authentication servers. Name and
Password are taken from the user database. If you use this option, a Guest user will have their
authentication level increased to ‘assumed’ while a session is authenticated with this method.

This option is not recommended, as passwords are sent as 'plaintext'.

Refer HTTP Requests

This option allows the SOCKS server to hand over HTTP requests to the WWW proxy. This is desirable
as it allows the use of cached HTTP files.

Allow Caching of Referred HTTP

Selecting this option allows requests accessed via HTTP hand over to the WWW proxy to be cached. If
you do select this option you may find you get multiple cache entries for the same document, due to
different server IP’s that resolve to the same domain name. This is not to much of a problem, and this
option is recommended.

Use SOCKS Policies?

The top option will apply the SOCKS server policies to HTTP requests. Selecting the second option will
use the policies of the WinGate WWW server you select. Typically, you would select the WWW server
to which you are handing over.

Server Details
Type the server details required for the option you have chosen. The 'Server' entry can be a Name or IP.

Specific Policy
This refers to the policy that is being edited or viewed.

Default Rights
This option allows you to select whether this service either:

316
 • ignore the default rights and only use its own rights
• use the default rights if the service rights deny access, or
• use default rights and service rights.

More details are available in WinGate policies and rights

Purge Qbik Web Pages

This filter will purge any files that contain the string www.qbik.com. Alternatively, the criterion could
have been ‘Server name equals www.qbik.com’.

Purge Unused Files

This will purge unused files from the cache. The first time a file is accessed, its hit count is 0. Every time
the cached copy is retrieved, the hit-count is incremented.

Purge Zero Length Files

Purging zero length files is a very sensible idea. Sometimes there is a problem downloading a file, and no
useful data is obtained. Deleting files with a length of 0 ensures that such files are not wasting directory
space.

Purge Files Not Recently Used

Depending on how much surfing you do, you will often find that files are used from the cache for a few
weeks, then they become older and out of date. Purging these files after a certain time means the cache
does not contain files that are unlikely to be required again.

Purge Large Files

While most of the files in the cache are small graphics, most of the space is taken up by a few large files.
You could add a criterion to this filter for "not recently used", or for the hit count.

Spamming
Spamming is the bulk sending of unsolicited email. This can be for advertising purposes, or sometimes
just to annoy the recipients. Spamming is hard to get away with, as email addresses and IP numbers can
easily be traced.

Interface
An interface is simply a network connection on a computer. This may be a LAN card, an ISDN link or a
dialup profile. See the glossary for further details.

DUN
Dial-up-networking. In NT this is referred to as RAS; Remote Access Server.

Allow Connections on All Interfaces

Selecting this option means that WinGate will listen for connections on all interfaces: Modem, LAN, or
any other. This allows connections to be made to WinGate from the Internet.

317
Specify Interface
This option makes WinGate listen to a single specified interface.

Specify DHCP Interface

This option makes WinGate listen to a single specified interface.

Specify Interfaces
This option makes WinGate listen to interfaces listed in the Bound list. Interfaces in the ‘Available’ list
are ignored, and cannot connect to WinGate.

Bound Interfaces
These are the interfaces that WinGate is listening to. Double click an interface to move it from one list to
the other.

Available Interfaces
These are the interfaces to which WinGate is not listening. Connections cannot be made from these
interfaces to WinGate. Double click an entry to move it from one list to the other.

Start Even If Address Is In Use

This option forces WinGate to start on this interface even if it is being used by another application.

Help
Displays this help file.

Shutdown WinGate Engine

Shuts down the WinGate Engine to which the user is currently connected.

Save Changes
Saving changes makes WinGate save its current configuration on disk. Always save changes when
changes are made that you want to remain permanent (otherwise they will disappear as soon as you close
GateKeeper).

Advanced AutoSave:

Click here to configure GateKeeper to AutoSave any configuration changes .

Tool Bar
Turns the tool bar on/off.

Status Bar
This option turns the status bar on/off. The status bar resides at the bottom of GateKeeper. It provides
information on whatever the user is about to do (when you roll the mouse over or select an option).

318
Always on Top
Selecting this option will make GateKeeper stay on top of all other applications. This allows the
Administrator to view what is happening while using other applications.

About Gatekeeper
This dialog displays information about the current version of GateKeeper.

Current Computer Session

This entry displays a current computer session, the computers network name (SERVER in this example)
and the logged on user name (Tim in this example).

Authenticated WinGate User

This user session displays the WinGate user name (Administrator in this example) and their authentication
level. If the user is not logged in they will appear as Guest.

Remote Control Session

This key icon represents the Remote Control or GateKeeper session. The last configuration action is also
displayed.

WRP Control Sessions

This icon is used to indicate a WRP control session. Control sessions are the WinGate Internet Clients
connections to WinGate. There will be one control session for each Internet application using the client.

TCP Session
This TCP link represents a data connection from the client application on the computer 192.168.0.7, to the
remote computer. Beside each IP number is the port being used.

HTTP Sessions
WinGate recognized many types of request. In this case, it has detected that these are Web sessions. The
requested URL is displayed. Sessions are displayed in the order that they are terminated.

Guest WinGate User

The guest user icon is displayed when the user is not logged in with GateKeeper and WinGate has no user
assumption information about that computer. These ‘Guest user’ sessions will not appear if you are
running WinGate with a Home license (since advanced user configuration is only available in standard
and pro versions).

Assumed WinGate User

The assumed user icon is displayed when the user is not logged in to GateKeeper, but has been setup as an
assumed user. Assumptions about users can be made using the computer network name, IP address or by
Windows login name (only when the WGIC is installed)

These ‘Assumed user’ sessions will not appear if you are running WinGate with a Home license (since
advanced user configuration is only available in Standard and Pro versions).

319
MITCH\ben Computer Session
This session indicates that local user 'ben' is logged in to the computer with the network name MITCH,
and is connected to WinGate. This is a Windows account, not a WinGate login, so the user is not
necessarily authenticated.

System Services
These services are essential to WinGate operation. They cannot be deleted, although all but the Remote
control service can be disabled. Scheduler is only available with a Pro license.

User Services
Users can add other services if required. These include additional proxies, mapped links, and SOCKS.
Most WinGate installations will not require any user services. In this example, a range of additional
services have been added e.g. a KeyDaemon mapping service running on port 802, a news mapping
service (for internet newsgroups) running on port 119.

Services can be edited by double clicking on the name.

Account Enabled
Use this check box to enable/disable this account. Disabled accounts will not be deleted, but they cannot
be used.

User Cannot Change Password

Selecting this option will prevent users from changing their password from what it is currently set to. Use
this option if several people use the same GateKeeper login.

User Must Change Password

Use this option to force the user to change their password next time they login to GateKeeper. Use this
option if you assign new users a default password.

User Details
Enter the user details here. Username is the only essential field.

Currently a Member Of
The user is currently a member of these groups, or will be when OK is pressed.

Not a Member Of
The user is not a member of these groups, or won’t be once OK is pressed.

Enable History Logging

You can check this box to allow additions to the History database. Un-checking this option will not delete
the database, but new entries will not be added to it. This checkbox is available from the ‘Options’ menu
in GateKeeper under ‘History’.

320
Maximum History Size
The current database size is listed in brackets. The history database can get quite large. Limiting the size
will prevent your hard drive from being filled up. The default for the history size is 10 MB, the maximum
100-MB.

Maximum Days
This option limits the age of session records in the database. Records will be deleted after this time.
Seven days is the default, 999 the maximum.

Clear History
Press this button to delete all records in the database.

Display This Data

All the types are saved in the database. Selected session types will be displayed in the history view.

Reset Accounting Totals

This button will zero all data amounts charges and balances.

Time
This is the time on the Wingate server when the request was made.

Computer
This is the network name of the computer from where the request originated.

Username
This displays the Windows user name of the WinGate user who made the request (if known).

WG User Name
This displays the WinGate user name of the WinGate user who made the request (if known).

Activity
Displays details of the request made.

Session Duration
This is the time in seconds for the session to complete.

Bytes In
The number of bytes received by WinGate as a result of the request.

Bytes Out
The number of bytes sent by WinGate for this session.

321
History Not Available
In this Graphic, the history is not available as the user is logged in to a remote computer. History is only
available when logged in to the local computer (localhost or 127.0.0.1).

Register
Enter your license details here. If you do not have a license, click the ‘Online’ button to go the online
order and upgrade wizard. This will use your default browser.

SOCKS Session
This is a SOCKS5 UDP associate session on port 2418, on all interfaces

Computer Session
This session shows that user Tim is logged in to Windows on computer TIMBO.

Exit
This closes GateKeeper (funny enough!).

Text Labels
Toggles the button text on and off.

Only Load the Last

This setting will limit the number of records that are loaded when GateKeeper is run (default is 2000).
Subsequent history items will be appended to this list as they are written to the database. If this number is
increased or the option disabled, GateKeeper may take a very long time to load (as it will load all of the
history items that exist in the database).

Online Computer
This icon is used to show each computer that is currently using WinGate to access the Internet. The
computer is identified by its network name or by the Windows user login username.

Note that a network name will only be displayed if the computer was configured by the WinGate DHCP
server. Also, the Windows login username (not a WinGate login so the user is not necessarily
authenticated) is only displayed when the WGIC has been installed on the client computer.

Help Topics
Displays the contents file. This is the same as you see when you click the contents button on this help
window.

DNS Lookup
These events are DNS lookups made by the client computer BULL BUG.

HTTP POST
This event was a POST operation. POST is a HTTP method for sending data to a HTTP server.

322
Application Name
This is the application that made this request. This data is not always known.

Check Version
This option will launch your default browser and load a page from the WinGate web site. It will tell you if
there are more recent file versions available for download.

General Purpose Internet Sharing (NAT-based)

Session
This shows an active session using the General Purpose Internet Sharing (NAT-based) to access the
Internet.

Startup Options for WinGate Services

All WinGate services now have NT-style startup options:

• Service is disabled: When WinGate starts this service will not be started and you will be unable to
start it until it is enabled (by selecting another ‘service startup’ options in the properties for that
service).
• Manual start / stop: When WinGate starts this service will not be started. However, you can right-
click the service at any time to stop or start it.
• Service will start automatically: This service will start every time WinGate starts. You will still
be able to stop/start it manually as required.

Clear History
This option is available by right-clicking the history pane.

It will clear all current history from the database. Note that this process can be automated using the
WinGate Scheduler if you are using a Pro License.

Save History
This option is available by right-clicking the history pane.

It saves the current session history to the database.

323
GateKeeper AutoSave
When you enabled ‘AutoSave’ all changes will be permanently committed after you click OK in a service
or any other dialog. This feature is great for experienced users as it speeds up the process of making
changes to a WinGate configuration.

IP Number
This is the IP number of the computer from where the request originated.

Cache Management

>> Click on the image hotspots for interactive popup help!

What Is Caching?

Caching refers to storing commonly used data in a place where it can be quickly and conveniently
retrieved when needed. WinGate provides caching of Internet material including graphics, HTML
documents or other files but only if you are using the WWW Proxy Service. If you are using the WinGate
Internet Client or WinGate NAT then you will not benefit from caching of material downloaded from the
web.

324
 WWW Proxy WinGate Internet Client (WRP) WinGate NAT

 

This can dramatically improve the performance of web surfing by storing common access data on the
local disk of the Wingate server. This is because you reduce the frequency that data must be downloaded
from a computer somewhere on the Internet (because the same data is stored locally).

Of course, there are some very sophisticated rules that determine whether or not the cached data is the
most frequent. However, you can force your web browser to download the latest data by clicking
‘Reload’ (Netscape) or ‘Refresh’ (Internet Explorer).

What Will WinGate Cache?

A good feature of WinGate caching is that it is shared amongst all users of the WWW Proxy Service on
your network. This is convenient in that the other users on your network are often likely to look at similar
sites on the WWW as yourself (some of the time at least). This means that much of the Internet content
you access will be held in the Wingate server cache. Consequently, you will not necessarily have to
download it from a computer on the WWW (which is much more time consuming and expensive).

Note that WinGate will only cache HTTP requests (i.e. not FTP URLs) that use the "GET" method.
WinGate will not cache any request that contains a query string (e.g. the response to any form
submission). You can also create your own detailed rules to specify what WinGate will and will not store
in the cache.

Note for Users of Windows NT:

The cache directory can get very large. Most files are less than 5K in size, and it is not uncommon to
have more than 10000 files in the cache. It is worthwhile running the cache on a drive with NTFS, as this
will save you space and increase speed on the drive.

What to Cache

>> Click on the image hotspots for interactive popup help!

325
In this example, a rule specifies that caching will not occur for users ‘Mary’ or ‘Bob’. Note that both
rules appear within the same filter.

We recommend reading the advanced Appendix topic on Logic and Caching. To explain how the
Caching works, we have to understand AND, OR and NOT, and how they are used to construct logical
rules for use with WinGate.

AND If criteria are joined with an AND, then they must all evaluate to true for the rule
to apply.

OR If criteria are joined with an OR, then only one of the criteria must evaluate to
true for the rule to apply.

NOT This means that a rule will apply if the criteria does NOT evaluate to true.

For caching, all filters are joined with an OR, while all criteria comprising a single filter are joined with
an AND (that is, they must all be true for the filter to apply). So, if a request matches all the criteria of
any of the filters then it will be cached. Otherwise, it will not be cached.

An easy trap to fall into occurs when you want to say "Don’t cache data for Mary or Bob". You may
think that to implement this you would create two filters (one filter with a criterion Not User: Username
equals mary, and another filter with a criterion Not User: Username equals bob). However, this would

326
not work as expected, because user Bob would be filtered out by the first filter, since his name is Bob. On
the other hand, because his username is not Mary, he will pass through the second filter. Conversely,
Mary would be denied on filter one, but would pass through on the second filter as a user cannot have two
usernames.

What "don’t cache files for mary, or bob" really means is "cache files for NEITHER Mary OR Bob". To
make this rule work, both of these criteria must hold so we place them in the same filter:

Don’t cache the file if Bob requests it

Don’t cache the file if Mary requests it

In summary the logic is:

Cache files that are NOT requested by Bob AND NOT requested by Mary. This would result in a single
filter with 2 criteria as demonstrated in the picture above.

Note on Negative Rules:

Negative rules (i.e. caching dependant on something not being met) become complex. The previous
example shows that an entry may be denied in one filter, but allowed (either explicitly, or implicitly by
not being denied) in another. If you want multiple filters, but disallow some specific criterion, make
sure you include this disallowed criterion in every filter. This applies to all rules in WinGate
(including rules for caching and service access).

What to Purge

>> Click on the image hotspots for interactive popup help!

327
When the cache directory gets to the set size limit, WinGate can initiate a purge, deleting unwanted or less
used files.

We recommend reading the advanced Appendix topic on Logic and Caching. To explain how the
Caching works we have to understand AND, OR and NOT, and how they are used to construct logical
rules for use with WinGate.

AND If criteria are joined with an AND, then they must all evaluate to true for the rule
to apply.

OR If criteria are joined with an OR, then only one of the criteria must evaluate to
true for the rule to apply.

NOT This means that a rule will apply if the criteria does not evaluate to true.

For purging all filters are joined with an OR while all criteria comprising a single filter are joined with an
AND (that is they must all be true for the filter to apply). So if a cached file matches all the criteria of
any of the filters then it will be purged. Otherwise, it will be left in the cache.

You can think of these filters as a profile for a file that will be deleted. By adding filters, you are adding
types of files that you want to purge. By adding criteria to a filter, you are further specifying the
conditions under which this profile applies.

328
Note on Negative Rules:

Negative rules (i.e. purging depending on something not being met) become complex. An entry may be
denied in one filter, but allowed (either explicitly, or implicitly by not being denied) in another. If you
want multiple filters, but disallow some specific criterion, make sure you include this disallowed
criterion in each filter.

Security Concepts in WinGate

WinGate 4.0 has been designed to provide a very high level of security, and to allow great flexibility of
accounting for use of the Internet. There are a number of major concepts in the way that the security
features of WinGate govern its actions. These center on the following security objects in WinGate 4.0:

Users

A user is someone or something that is obtaining service from WinGate. You can create users and groups
from within WinGate (or import them from NT or a text file), or choose to integrate WinGate with an
existing NT/2000 user database.

WinGate can store audit and accounting data for each user as well as manage their rights and privileges
(whether you are using the WinGate or NT databases).

The links below provide information on managing the WinGate user database. However, if you are
running WinGate on NT or 2000, we recommend using the NT user database integration (this provides
stronger NT-based authentication and a more robust database).

Click here to learn about adding a new WinGate user

Click here to learn about adding a new WinGate group

Click here to learn more about managing users/groups (only applies to Pro License).

Computers

A computer in WinGate is a record of a physical computer that is connected to WinGate via the LAN.
Individual computers are tracked according to their private IP numbers (which will be uniquely assigned
automatically if you are using the WinGate DHCP Service).

Because users only exist on a LAN in the context of a computer, you can configure WinGate to make
certain assumptions based upon this. For instance, John is the only person who ever logs on to the
computer named JOHNSPC with a private IP of 192.168.0.55. Therefore, WinGate can assume that any
activity on this computer is caused by John (and can enforce policies accordingly).

329
These assumptions correspond to Confidence Levels (how confident WinGate is about the identity of the
user on that computer. By default, a computer will be "unknown" and assumptions will only be made
where you specify these. WinGate will recognize 3 levels of users on the network:

WinGate has no knowledge of this user.

Unknown

WinGate makes an assumption about the identity of the user,

based upon the IP number of the computer connected or the
Assumed network name of the computer (this is set up under ‘Locations’
in GateKeeper).

In addition, users can make use of insecure authentication in

Telnet or SOCKS 5 to achieve an "assumed level" of
authentication (an assumed user is less secure than an
authenticated user).

WinGate can verify the identity of the users because they have
authenticated (i.e. they have supplied a correct username and
Authenticated password to WinGate). Users can authenticate themselves by a
range of methods provided by WinGate. Click here to learn
more about Secure User Authentication with WinGate.

Note that with WinGate the terms ‘Logged In’ and ‘Authenticated’ are used synonymously.

Once you understand the WinGate concepts of users, groups and confidence levels, you are ready to setup
policies that may restrict what they do.

Related Topics:

Click to learn about Implementing Security with WinGate Policies.

Managing Users and Groups with WinGate

Setting up custom users and groups is a key feature of WinGate Pro (Standard license holders only get the
basic users and groups outlined below). It allows you to create meaningful policies that control and track
access to your key WinGate Services.

WinGate policies can be driven by one of two user databases – the WinGate user database or the
Windows NT / 2000 user database (click here for more information on NT user database integration).

This topic outlines how to manage users and groups when you have selected to use the WinGate database
and GateKeeper for user management (no NT / 2000 integration). 9x users will only be able to manage
users and groups in this way.

330
Note About Users & Groups:
Setting up users and groups is not required by WinGate (it will function fine without them). However, it
does dramatically improve your ability to manage and record Internet access.

Administrator Account

The Administrator user account has full control over all aspects of WinGate configuration and cannot be
deleted. When WinGate is first installed the Administrator account will have no password but you will be
prompted by GateKeeper to set one immediately.

You can leave the administrator password blank if you like but WinGate will only allow you to connect
with GateKeeper from localhost, not remotely (by changing the bindings).

This is a security precaution taken to prevent unwanted users on the Internet (or on your LAN) from
hacking into your WinGate configuration. You will be informed by a System Message if the Remote
Control Service bindings are automatically altered for this reason.

Guest Account

The Guest user account has no default password and cannot be deleted. Guest is the account that all
unknown users access by default. By default, the guest has rights to allow them to access all services but
no rights for configuring anything. You can increase or decrease these rights depending on the level of
security required by your network.

Assumed Users

You can configure WinGate to assume the identity of a user based on the IP address or network name of
their computer. This is very convenient when you want to track your users but do not require full
authentication. This is most useful when each person on your network uses the same computer each time.

Additional Cautions & Consideration

You may implement any of these policies plus many more at your discretion:
• Allow administration only from the Wingate server, or any other predetermined computer on the
network
• Require authentication or not
• Have separate accounts for all administrators
• Require authentication, but have shared user accounts (e.g. per class, see below)
• Account restricting for groups and individuals to monitor access levels
• Groups per company division with a different set of rights (like accounting, marketing, sales).

Restricting Guest Access

331
If somebody is accessing WinGate services from an unknown location (i.e. no location entry) without
authenticating, they will be user Guest.

Accounting does not have to be enforced (i.e. charged), but it is useful to see who uses the Internet the
most. You can also stipulate that someone’s account balance be positive.

A shared user account is very useful. Setting up one or more user accounts that can be used by different
people is a way of tracking the usage of a group. This is most likely to be used in schools, where a whole
class can use one user account (e.g. Room4). A tutor can have an individual account, but be in the same
group and also in an Admin group. This way you can monitor the group usage and won’t have to setup so
many accounts.

Assumptions can save people logging in. If some computers are only ever used by one person, then give
them an assumption and they won’t have to log in!

If you setup your bindings in a secure way, your network can’t be accessed from outside. You may
decide you don’t require clients to log in.

Adding a User

The ability to add and configure user accounts is only available with a WinGate Pro License.
Creating your own users and groups enables you to setup policies on a per-user and per-group basis.
This allows you to have much tighter control over your networks Internet access through features
such as time/location based restrictions, accounting and auditing.

To "Create" a New User:

Whenever you create a custom user, the default rights and characteristics assigned to that user are based
on a default user template. You can modify this template to make it easier to create users (see below):

The steps to take:

1. Select the ‘Users’ tab in GateKeeper

2. Right-click the mouse anywhere and select ‘New User’

3. You will be presented with a New user dialog box

4. Type in the user name* (e.g. Jim) into the ‘Username’ field

5. Enter the user’s Real name (optional)

6. Get the user to enter and confirm their password, or leave it blank and select ‘User must
change password at next logon’

7. Enter a description of the user e.g. Technical support guru

8. Set the options for this user

332
 9. Click OK.

*Note:

The following characters are not valid in a username: [ ] + = \ / : ; , * ? " < > |
To "Clone" an Existing User:

The steps to take:

1. 1. Select the ‘Users’ tab in GateKeeper

2. 2. Select an existing user and right-click the

mouse

3. 3. Select ‘Clone’ from the context-menu

4. 4. Change the name, description and

password for the new user

5. 5. Change any other properties as required

and click OK.

To Modify the Default User Template:

By default, WinGate will create users with a minimal set of attributes. If the Administrator wants further
control over what details are set for newly added users, they can set up a user called "default". Any
attributes of the default user will be carried over to newly created users (it acts as a template for creating
new users).

The steps to take:

1. Run Gatekeeper

2. Log on as Administrator

3. Open the users window of the WinGate Control Panel

4. Right-Click the users tree and select New User

5. Make the user name "default"

333
 6. Make any other selection settings that you want to be used in the future when creating new
users. Password options (you may want a default password), Logon options, Groups,
Auditing and Accounting details are all available

7. Press OK.

In future all newly added users will have the attributes of the user called ‘default’, all you need to change
is the user name.

User Information

The options on the User info tab are self-explanatory. However, they are further discussed in the security
section.

Advanced User Options

Groups

Accounting

Auditing and Logging

Groups

Groups are an integral part of extending the user rules. Groups are logical
collections of users who share common features. Groups can have any number of
members. A member can be a user or a group, allowing group nesting. Individual
users can be in any number of groups. Rights can be applied on a Group or User
basis.

To Add a Group:

1. View the advanced options

2. Select Users tab

3. Open the Group tree by clicking on the + sign

4. Right-click any group, and select ‘New Group’

5. Name and Describe the group

6. Double click to add member

7. Click OK.

334
To Edit a Group:

1. Double click the group name

2. Double click on members you want to remove

3. Double click on non-members you want to add

User Assumptions

Locations are a method of tracking users without requiring your users to log into WinGate. You can set
up location assumptions, so that when someone connects from a known location, they will be assumed to
be a given WinGate user.

Assumptions can save users from logging in. If certain computers are only ever used by one person, then
setup an assumption and they will not be required to log in to authenticate.

Adding a Location Assumption

1. Right click the Assumed Users branch in GateKeeper advanced view users tab

335
 2. Select ‘By IP address’ for an IP-based assumption, or ‘By name’ for a computer name-based
assumption (this is the NETBIOS or Windows networking name of the computer)

3. Click Add

4. Type in a computer name or IP for which you wish to make an assumption

5. Choose the user you wish to assume will be using that computer

6. Click OK, OK.

Note About Assumptions:

• Only DHCP clients can use name-based assumptions.
• When you set up IP assumptions (locations) you can use the wild card * to mean ‘any’.
• IP Assumptions are read from the top down. They will associate with the first match.

For Example:

192.168.0.1 john

192.168.0.3 alf

192.168.*.* fred

192.168.0.* cilla

The problem here is that cilla will never be reached because line 3 - fred, covers anything that is not
192.168.0.1 or 192.168.0.3. If cilla was promoted like this:

192.168.0.1 john

192.168.0.3 alf

192.168.0.* cilla

192.168.*.* fred

Then cilla would be assumed for any connection from the 192.168.0 range of IPs except 192.168.0.1 and
192.168.0.3, and if say 192.168.1.12 connected, it would be associated with fred. There is an implicit
assumption of *.*.*.* ? Guest, as anyone who has not logged in, and has no assumption, is in fact a Guest.
This is logically at the bottom of the list, as it will associate with any IP.

336
User Info Tab

>> Click on the image hotspots for interactive popup help!

Groups Tab

>> Click on the image hotspots for interactive popup help!

337
User Accounting

>> Click on the image hotspots for interactive popup help!

338
The accounting features make WinGate a useful LAN management tool. Accounting information is
updated in real time if you are viewing the user record of someone that is accessing the Internet. Data
totals are updated at the termination of each session. Time on line is updated when all a user’s data
sessions have terminated. Sections and terms are explained below.

Data Totals

Bytes sent to client This is the total number of bytes WinGate has sent to the client
computer. In the case of HTTP use, a lot of this will come from the
cache.

Bytes received from client This is the data that the client has sent to WinGate.

Bytes sent for client This is the data that WinGate has sent to servers on behalf of the
client. This is usually different to the number of bytes received from
the client.

Bytes received for client This is the amount of data WinGate has downloaded from the
Internet on behalf of the client. This will likely be lower than the
number of bytes sent to client, due to caching.

Seconds online This is the number of seconds that a client was registered with
WinGate. Note that this is not a reliable way of telling how much
time a user spends on the net if they are logged on. In this case, the
time is the entire period they are logged on. Being logged on does
not imply Internet use. Seconds online is updated at the end of all

339
 user sessions i.e. when a user logs out.

Charging

Rates In the rates boxes you can specify what you will charge per
Megabyte or time online. Typically only Bytes received for client
and Bytes sent for client will be charged.

Total Charges This is the sum of the charges accrued.

Opening Balance This is what the user has paid so far.

Closing Balance This is the Opening Balance less Total Charges.

Reset This button resets the Quantity fields. Beware, there is no confirm
dialog, so if you muck up, press cancel!

The Scheduler has functions for exporting and resetting the user database information.

Example Scenarios:

 Specify an amount, maybe $20, and that will be free for the user. If the Closing Balance goes
negative, the user pays you that amount.

 User pays an amount (this goes in Opening balance), they can use the Internet till their balance is
zero, then access is cut off. This is ideal for Internet Cafes.

Click here for more information on how to Reset accounting totals

Auditing and Logging

>> Click on the image hotspots for interactive popup help!

340
Advanced monitoring allows an administrator full details of all WinGate activity. User properties dialogs
have an auditing tab. Services properties have a logging tab. All per-user monitoring is stored in the
audit files, and per-service monitoring in the log files. These files are in a ‘Tab delimited’ format. A text
editor or the Logfile Server can be used to view these files.

User audits are stored by default as:

%WinGatePath%\audit\username.log

Service logs are stored by default as:

%WinGatePath%\logs\servicename.log.

The file format is:

Date Time IP Address Session # Event Type Event

Details

12/02/96 15:01:25 192.168.0.1 0000006100 Modify user John

12/02/96 15:04:35 192.168.0.1 0000007126 Created http://

341
There are two divisions of Audit/log events. Several options are available. Administrators may select
any or all of these. The default options are indicated.

Session Events

Event type Default Description

Setting

Creation Off Selecting this option causes session creation

details to be logged. The detail indicates the
service type, e.g. HTTP. Session creation details
are often used when tracking down problems.

Termination Off Selecting this option causes termination of

sessions to be logged. This is not normally
selected unless there are problems with your
applications hanging. An individual session can
be tracked from creation and request to
termination.

Request Details On Session request detail will be stored. In HTTP, the

requested URL will be recorded.

Debug Off Logs any debug messages that occur.

License violations Off Any violation of the license count will be

recorded.

Traffic On Traffic levels recorded for the session. In Bytes

(sent to, received from, sent for, received for)
client, seconds.

Configuration Events:

Event type Default Description

setting

Authorization Failure On If a user enters the wrong password, the event will
be noted.

Errors On Records details of any errors.

Service start/stop On Notes when the service is started or stopped.

Configuration changes On Notes service/user configuration changes.

User Login On Indicates when the user logs in.

342
 User Logout On Notes when a user logs out.

Viewing Log and Audit Files

For easy viewing of user audits and service log files, WinGate has a LogFile Server , which is installed
by default. This is a WWW proxy service on port 8010 that is configured to serve audits and logs to a
web browser. To use this service you will need to make sure that your web browser is configured
properly. This means not using a proxy for the WinGate server computer since it is served from within
your network (not on the Internet).

Add this line to your ‘Don’t use proxies for:’ section in your browser setup:

wingate:8010
(or the IP address or network name that you have assigned to the Wingate server).

Viewing the WinGate Log Files from a Web Browser

Simply cut and paste the following into your browser address field:

http://wingate:8010 (substituting "wingate" for the network name of your Wingate server)

OR

http://192.168.0.1:8010 (substituting "192.168.0.1" for the private IP address of your Wingate

server)

An editable file, index.htm is served from the WinGate install directory. Three links are available:
• Service Logs
• User Audits
• Gatekeeper.exe

Selecting either of the first two will take you to the logs or audit directories. The third allows you to
download Gatekeeper if it is required on a workstation. It is advisable to limit access to this server to
Administrators (or else users may download gatekeeper and attempt to modify settings).

Other Applications

You can add other servers in a similar manner, to allow you to view logs from other applications.

343
Adding a Log File Server

1. In GateKeeper add a WWW proxy on a suitable port (see appendices)

2. Choose the Non-Proxy request tab

3. Select the ‘Server request’ option

4. Click the Web Server settings button

5. For 'Server root directory' enter the directory that WinGate is in

6. For 'Default filename' enter 'index.htm'

7. Select 'Enable directory browsing'

8. Click OK, OK.

Then you should write a suitable HTM page using the index.htm file from the WinGate directory as a
guide. You can use these servers for serving anything including your Intranet/Internet pages.

WinGate Policies and Rights

WinGate provides tight security while maintaining flexibility. Security in WinGate is managed by the
assignment of rights to individuals and groups (and these assignments form policies). In this manner,
WinGate security operates in a similar way to the Windows NT user system.

Policies in WinGate can be implemented at both the system level and on a service-by-service basis. You
can create a mix of policies at both levels to enforce the level of security required for your network.

System Policies

System Policies are the primary way for implementing security and control with WinGate. Policies can
now be defined per service, per user, per group as well as per time of day, and can be restricted on a per
request basis. These are the overall restrictions that apply to all services (unless these are overridden at
the service policy level).

How Do I Configure These?

From GateKeeper on the "Users" tab of the WinGate control panel. Double click the book icon labeled
"System Policies".

Click here to learn more about configuring policies with GateKeeper.

344
 Service Policies

Service Policies are the secondary way for implementing security and control with WinGate. These rules
are evaluated only for the service that they are applied to.

How Do I Configure These?

From GateKeeper double-click on the WinGate Service that you wish to configure. Click on the
"Policies" tab and begin adding policies.

Click here to learn more about configuring policies with GateKeeper.

"Integrating" System and Service Policies

This is the key to a comprehensive security policy with WinGate. Specifically, it is important to integrate
the policies that apply for individual services (Service Policies) with those policies that apply to
everything (System Policies). You do this by specifying one of the options below when you define rights
for a service.

"are ignored" – this means System Policies do not apply for this service (in which case you must be
careful when creating these rules as they will be the only security for that service).

"may be used instead" – this means that something permitted by the Service Policies may be restricted
by the System Policies. This implements two-levels of security so is a reasonably secure approach.

"MUST also be granted" – this is the greatest level of security as both policies must explicitly grant
rights for a user. Of course it is also the least flexible of these three approaches.

Consider the following scenario for "integrating" WRP Service Policies with System Policies:

You want to set up a minimal set of security policies and restrictions that will apply for all WinGate
services (and hence all types of Internet access from your LAN). You implement these policies at the
System Level. However, because the WinGate Internet Client will connect "any" Internet applications that
demand it, you want to implement far tighter control over the WRP Service. You implement these tighter

345
policies at the Service Level, selecting System Level policies "are ignored" in the WRP service
properties.

Custom Groups and Users

With a WinGate Pro License you can create custom groups or users. This allows you to
create different levels of security that can be applied to ‘groups’ of users. This is timesaving
and is an effective way of managing security on your network.

Rights can be used in three ways for each service and are selected from the "policies" tab in properties for
a service:
• The service will grant access if its rules allow the specific request, ignoring the default rights
• The service will grant access if its rules allow the specific request OR if the default rights allow
the specific request. This option is called ‘may be used instead’ and is the default
• The service will grant access if the service policies allow access AND the default rights allow
the specific request. This option is called ‘MUST also be granted’.

Basic Rule Structure

System Policies define the default access and control rights to WinGate services and functions. They are
accessed from the icon on the configuration pane.

346
Service Policies are accessible from the Policies tab of each service. The following rights are
configurable. See assigning rights for details on how to configure these.

Users can access services/this service This right specifies which users can use this
service, and what requests they can make.

Users can modify or delete services/this service This right specifies which users can modify
the settings of this service or even delete it.

Users have simultaneous access from multiple This right allows users to access services from
computers more than one computer at once. The
Administrators have this right by default.

User can start/stop services/this service This right specifies which users can start or
stop this service.

User has power user rights This right covers a range of administrator-
type activities, but which do not necessitate
separate rights themselves.

By default this right is assigned to the

administrator group only.

Users can create and edit users This right specifies which users can modify
the user database, creating and editing users
and groups.

Users can create/delete services Users with this right can create or delete
WinGate services in GateKeeper.

Users can monitor activity on this server This right specifies which users can monitor
activity on the server. This allows the user to
see the status of all sessions on the server.

Users can delete sessions from this server This right specifies which users can delete
sessions from the server.

Users can modify and control system policies This right specifies which users can modify
system policies. If a user does not have this
right then the icon for policies will not appear.

Users can modify and control WinGate dialer Users with this right can modify and control
WinGate dialer profiles.

Users can modify and control WinGate cache Users with this right can modify and control
WinGate cache settings through GateKeeper.

Users can shutdown WinGate Users with this right can shutdown the
WinGate service itself. It is recommended

347
 that only Administrators be allowed this right,
as it is not correctable with GateKeeper. To
restart the service it must be started in Control
Panel (NT) or with the ‘Start WinGate
Engine’ icon in the WinGate group.

Users can change WinGate license This right allows the recipient to change the
license details in the System info section.

Users can change WinGate scheduler This right lets the Administrator control who
has access to edit the scheduler. This should
only be available to a select group, say
Administrators and Backup operators.

Assigning Rights

Rights are granted to recipients (which can be a user, group, or everyone). To grant a right to a
recipient, you add that recipient to the right. You may add the same recipient to the right many times,
each with different restrictions.

Default policies will be sufficient for most situations, but you may wish to customize certain services.

When you access the Internet or change WinGate configuration, WinGate will look through the recipient
list assigned to that event. It either finds a recipient with that right, or reaches the end of the list of
recipients. If it fails then the right is not granted, and the user will be denied access.

How to Add/Edit Rights for a Recipient:

1. Double-click a recipient to edit its rights

2. Click the Add button to add a new recipient. You will be presented with a recipient properties
dialog.

To Learn More About Policies:

WinGate Policies & Rights: Policies can be applied globally or on a per-service basis. Click here to
learn more about this key WinGate feature.

System policies are available by double clicking the ‘Rule book’ icon on the configuration pane.

Service policies are on the Policies tab on the dialog for each service.

Recipient Tab

348
 >> Click on the image hotspots for interactive popup help!

The Recipient tab specifies who is the recipient of the right you are editing. You may choose
‘Everyone’, or specify a user or group.

The Administrator can choose from three levels of authentication (learn more about these methods of
authentication here):
• Selecting the User must be authenticated option lets you require users to authenticate with
WinGate
• Selecting the User may be assumed option allows authenticated and assumed users, but non-
authenticated users from an unknown location will be denied
• Selecting User may be unknown means that this recipient applies to anyone.

Location Tab

>> Click on the image hotspots for interactive popup help!

349
A user connecting from any of the included locations is a valid recipient.

A user connecting from any of the excluded locations is not a valid recipient.

This allows you to restrict rights based on the location of the user.

You can specify rights that are available from:

• Everywhere
• a range of IP numbers (by use of a filter), or
• a single IP

In order for the right to be granted, the IP number of the computer that the user is on must match at least
one Included location, and must not match any of the excluded locations.

An IP Filter is a wild card, allowing you to specify a range of IP addresses.

By using wild cards (e.g. the characters ‘?’ and ‘*’) you can tell WinGate to ignore certain parts of the IP
address when comparing against the location restrictions. These wild cards work in the same way as they

350
do for DOS filenames, so if you are familiar with this then this concept should be easy. There are a
couple of examples given at the end of this section that demonstrate how this applies.

See also:

Rules examples

Time Tab

>> Click on the image hotspots for interactive popup help!

The Time tab allows you to specify when the recipient has rights. You can specify always, or you can
specify times when the recipient has the rights, and times when the recipient does not have the rights.

You do this by adding time-slices to the included times or excluded times. If you choose to specify when
the recipient has rights, then you must add an included time for when you want the right to apply. You
can specify times on a regular or one-off basis, so you can set up rules like "every weekday from 09:00:00
to 17:00:00" or "From 12-Jan-97 12:00:00 to 13-Jan-97 12:00:00".

351
In the example above, the recipient has access every weekend from 8:30 am till 5:30 p.m., and every
weekday from midday till 1 p.m. except on Wednesdays from 3 p.m. till 3:30 p.m.

Ban List Tab

>> Click on the image hotspots for interactive popup help!

The Ban List tab is probably the most useful tab for limiting users access.

This list bans anything that matches any of the criteria. In the example above, no one can access the
server 'www.naughty.com'. Bans can be made globally with Default Rights, or configured on a per-
service basis.

To add a Global ban for www.naughty.com:

1. In Gatekeeper, select System Policies

2. Edit the 'Everyone' recipient

352
 3. Select the Ban list tab

4. Select 'Enable ban list'

5. Click Add

6. Select 'This criterion met if', 'Server name', 'equals'

7. Enter the name you wish to ban, i.e. www.naughty.com

8. Click OK.

The ban will then appear in the Banned criteria list.

Hints and Notes:

• A recipient is banned if any criteria match the global or service ban list
• Anything you ban is inaccessible for that recipient
• It is easier to ban URLs containing certain words than complete URLs or sites
• You can deny access to certain parts of a site with a ban of URL contains
'www.servername.com/dir1/dir2/'. This will allow access to any other part of a site. This can be
used for access control depending on logged on user or group.

Advanced Tab

>> Click on the image hotspots for interactive popup help!

353
The Advanced tab allows you to place restrictions on the request that a user can make when accessing a
service. You can specify combinations of required and banned criteria in order to limit the requests your
users can make.

If you choose to specify which requests the recipient has rights for then you specify filters and criteria. If
you specify no included criteria, then there are no restrictions. This dialog follows the same logic as the
Caching tabs, see there for details on how to customize this section.

Think of this dialog as adding restrictions to the request.

You have access to a number of variables when specifying a criterion. Here is the list of variables that
you have access to when setting up criteria.

In this list, ‘All’ means all services except DHCP.

Variable Type Services Description

Client IP number String All The IP address the user

354
 is connected from.

Client port number Number All The port number on the

client’s computer.

Client Netbios name String All + DHCP The network name of

the computer
connecting.

Client MAC address String All + DHCP The MAC address of the
LAN adapter in the
requesting computer.

Client is a DHCP client True/False All The connecting

computer has an IP
assigned by WinGate.

Server name String All The name or IP of the

server the client has
asked to be connected
to.

Server port number Number All The port number on the

server the client has
asked to be connected
to.

User: Username String All The username (in

WinGate) of the client.
This is the account to
which data and time will
be recorded.

User: Authentication level Number All The user authentication

level. 0 = unknown user
1 = Assumed
2 = Authenticated.

User: Bytes sent to client Number All The number of bytes

sent to date to the client
from WinGate.

User: Bytes received from client Number All The number of bytes
received to date from the
client by WinGate.

User: Bytes sent for client Number All The number of bytes
sent to date by WinGate
on behalf of the client
(e.g. to servers).

User: Bytes received for client Number All The number of bytes
received to date by
WinGate on behalf of
the client (e.g. to

355
 servers).

User: Seconds on line Number All The number of seconds

the user has been
accessing WinGate to
Date.

User: Account balance Number All The user’s account

balance.

Session description String All Description of session.

HTTP Protocol String WWW The protocol the user

has requested in the
URL, e.g. http, ftp, wais,
ssl, gopher

HTTP Method String WWW The HTTP command

sent by the user, e.g.
GET, HEAD, LIST,
PUT, CONNECT,
POST.

HTTP Resource String WWW The file requested by the

user.

HTTP URL String WWW The full URL.

HTTP POST data String WWW The contents of any

form sent using the
POST method.

HTTP Query string String WWW The contents of the

query string. This is
normally the contents of
a form posted by the
GET method.

HTTP Header field String WWW Any specified HTTP

request header as
defined in the HTTP
protocol standard. You
must supply the name of
the field e.g. "User-
Agent", "If-Modified-
Since", etc.

Is Non-proxy method True/False All Proxies Whether the request was

a non-proxy request.

Session was handed over True/False WWW Whether the session was
handed over from
SOCKS.

POP3 Username String POP3 The username of the

356
 POP3 mailbox the user
is accessing.

FTP Username String FTP The username on the

FTP server the user is
accessing.

VDOLive File String VDOLive The file requested by the

VDOLive player.

SOCKS Protocol version Number SOCKS The SOCKS protocol

version number - 4 or 5
are valid.

SOCKS Command Number SOCKS the SOCKS command

1 = connect

2 = bind

3 = UDP associate
(SOCKS5 only)

SOCKS Address type Number SOCKS the SOCKS address type

(relevant for SOCKS5
requests only)

1 = IP4

2 = Name
3 = IP6 (not supported)

The variable type determines what comparisons you can make with that variable. If the variable is a
number, you can check whether a number you specify is greater than, less than, or equal to the variable
you select.

If the variable is a string then you can apply comparisons such as "contains", "begins with", "ends with" or
is "empty".

Rules Examples

The flexibility of the WinGate rules set allows many policy possibilities. You must decide what security
policies you will implement based on your specific requirements. See the notes on securing your network
for details on security.

Rule Suggestions & Examples:

Actual policy ‘data’ is displayed in bold so that it stands out. Some of these criterion will only be
available with a WinGate Pro License

357
 • With the Ban list tab on the WWW proxy, ban the following sites: www.playboy.com,
www.naughty.com, www.thex-files.com and any URL containing words: sex, hardcore, XX,
filth, and any other objectionable words
• everyone can access the WWW Proxy, but they cannot request URL resources ending in .GIF or
.jpg
• Nobody is allowed to post forms with the HTTP Method, POST
• Nobody is allowed to use SOCKS if they are using version 4 of the protocol’
• ‘User bobby-sue can access the WWW proxy only from 192.168.0.2 weekdays from 9 - 5 as long
as he is using HTTP Method Get, and his user account balance is greater than 0’
• ‘User mary-bob can check her mail only from 192.168.0.3 weekdays from 9 - 5 as long as she is
checking her POP3 username account mary-bob on the server mail.host.com’.

Step-By-Step Example:

You may want to allow access only to a certain site, e.g. www.wingate.com pages.

1. Open the WWW proxy properties

2. Select the Policies tab

3. Remove the ‘default rights’ selection

4. Double-click the recipient you wish to restrict, or add a new recipient and edit

5. The ‘Criterion is met if’ option should be selected

To make rules to allow only www.wingate.com, make a filter with a single request criterion of "Server
name equals www.wingate.com". If you want to add more sites, add more filters with an appropriate
criterion.

Three filters like this will allow any pages from these three sites, but nothing from any other sites. The
requests tab looks like this:

This means the selected recipient has rights to access CNN or Whitepages or Yellowpages.

358
Evaluating Filters and Rules

Essentially, all filters in a policy are joined with Boolean/conditional ORs. This means that if either filter
evaluates to true, then the activity is restricted/allowed (depending on how you have configured it). On
the other hand, the rules within filters are joined with Boolean/conditional ANDs, which means that they
must all evaluate to true for the filter to apply. The table below summarizes how each of these logical
connectors works.

AND If criteria are joined with an AND, then they must all evaluate to true for the rule to
apply.

OR If criteria are joined with an OR, then only one of the criteria must evaluate to true for
the rule to apply.

NOT This means that a rule will apply if the criteria does not evaluate to true.

Securing your Network

Why Should I Do Anything?

A small number of people take pleasure in breaching the security of networks. Some do this for fun, some
for espionage (e.g. getting client lists), sabotage (deleting files) or advertising (e.g. Spamming).

Hackers may get unauthorized access to your network. More importantly, they may be able to access
other networks while appearing to be you. This could lead to you being blamed for the hacking. If this is
serious, your ISP could close your account. One of the ways people can do this is using a proxy server
such as WinGate.

How Do I Secure My Network?

There are a number of methods of securing WinGate. These are simple to implement and will take only a
couple of minutes:

Logically

By setting up rules specifying who may or may not do certain things in WinGate. This method is more
configurable.

Physically

By binding a service to a specific interface the service will simply not be available from any other
interface. E.g. by binding a service to your LAN adapter, you can easily prevent all access from the
Internet. This method is faster and simpler.

With ENS Plugin

359
A strong packet-filtering firewall (read more here).

You may also choose a mixture of these two methods, depending on your requirements for access. Here
are some examples of some typical ways of securing your access.

Example of Securing a Basic Network:

Consider a small LAN running WinGate Standard or Home Version for Internet access. There are no
server applications running that require access from users on the Internet. This scenario is fairly typical.

Option One

If all the services are using the default security arrangement as installed, then perform the following steps:

1. Open GateKeeper and log into WinGate as Administrator

2. Double click on "System Policies"

3. Select the right "Users can access services"

4. There will be one recipient there - "Everyone". Double click on this recipient

5. Select the Location tab

6. Select "Specify locations from where this recipient has rights"

7. Add the following IP addresses under Included locations: 127.0.0.1, and the first three number
groups of your Wingate server's network card followed by a .* - for example if your network
card has IP address 192.168.0.1, then you would add 192.168.0.*. If you have more than one
network card in the Wingate server then add an entry for each card that requires access to
WinGate

8. Hit OK, and remember to save changes.

Now only your LAN users can access any service in WinGate. If some of your services are using their
own rules rather than the global ones, you can perform this action for each recipient in those service-
specific rules.

Option Two

The Standard WinGate License will not allow you to bind a service to more than one interface at a time
(but you can do this with the Pro License).

360
To bind a service to an interface, do the following:

1. Open GateKeeper and log into WinGate as Administrator

2. Double click on "Services" in the right hand pane

3. Double click on the service you want to modify

4. On the Bindings tab you see an option - "Specify interfaces connections will be accepted on" -
enable this option

5. Ensure the Bound list contains only the interfaces you are binding to. Double click interfaces to
move them between lists. Included interfaces should be your LAN card and 127.0.0.1 (localhost)

6. Click OK.

Note:

You cannot change the binding in the Remote Control Service in WinGate Standard.

Internet Server Applications and Security

What if I am running a server behind WinGate that requires public access?

We recommend that you do not run the Telnet proxy or SOCKS servers with public access. If you do,
you will want to restrict what requests the server can perform. You could require users of these services
to be authenticated if they connect from the Internet. This will prevent unauthorized use. Alternatively,
you can specify where a user can connect to, and at what times.

For WWW, if say you are running a public WWW server behind WinGate, you can stipulate that Internet
users can only connect to your public WWW server, and internal users can connect out.

General Techniques and Strategies.

This first question is "Do I really need to allow access to this service from the Internet, and why?". There
are a few situations where access from the Internet is required.

Situation Recommendations / Suggestions

You may be running mail, WWW Have separate internal and external WWW proxies. Limit the
or other server on your LAN that external requests to the Non-proxy method.
requires access from the Internet.
With mail servers, restrict the servers accessible with POP3, and

361
 limit the locations from where the SMTP server can be used.

You may require field staff to telnet Require authentication with the Java client, or enter rules that
into your Unix server from the field. only allow access from a known IP number, or limit the server
that can be connected to.

You may have a requirement for As above.

some secure inter-office
communication.

If none of these situations apply, you need to question why you would allow access from the Internet to a
service.

There are ways to specify different WinGate access rights depending on what location a user is
connecting from. You can either create duplicate services bound to the different interfaces with different
policies per service, or you can do it with a single service with location-based policies.

For example, for a POP3 service using service specific rules, create two ‘everyone’ recipients - the first
one is restricted by location, and must connect from your LAN. The second can connect from anywhere,
but is restricted by request to allow connections to certain servers or ports (for example).

Tips and Tricks:

• When securing your network, start with full restriction and add the required access. Don’t start with
full access and add the required restrictions
• Full security can be as simple as always requiring Authentication. The logon client is served in a
browser when required and it is simpler to require its use than to setup complex rules
• Most networks will only need to bind to localhost and the LAN card. This prevents all external
access
• It is best to have a simple set of access regulations. Complex sets are harder to maintain or test
• A service may need special restrictions depending on the incoming interface. Adding a service for
each interface (they can be on the same port) is often the simplest way to achieve this. You can
then structure policies per interface, and have a descriptive name for the service. For instance:
WWW (non-proxy) – external, WWW proxy – internal
• The most vulnerable services are SOCKS and Telnet. Ensure these are only available from your
LAN
• It is very unlikely you will ever bind to a dialer profile.

User Database Options

362
 The ability to add and configure users and groups accounts is only available with a WinGate Pro
License. Therefore, this feature can only be used with a WinGate 4 or Later Pro License
(WinGate 3 Pro users will be unable to access this feature – please visit www.wingate.com for
upgrade information).

Note for 95/98 Users:

User database integration with the operating system is not available if you are running WinGate on
a Windows 95, 98, 98SE or ME computer (these operating systems do not have a true user
database).

This feature will be turned OFF by default.

>> Click on the image hotspots for interactive popup help!

How to Open This Dialog:

From the GateKeeper Control Panel/User tab select Database options.

363
Setting up custom users and groups is a key feature of WinGate Pro. It allows you to create meaningful
policies that control and track access to your key WinGate Services. WinGate can use one of two user
databases:

• WinGate user database or

• Windows NT / 2000 user database.

When using the NT / 2000 user database WinGate administrators will also benefit from strong NT-based
authentication for Internet access (i.e. all authentication for WinGate Services will be based on NT user
accounts and passwords).

When integrated with NT all users, groups and properties will be visible inside GateKeeper, but you will
not be able to edit their properties (you must do this from the NT user manager).

Click on this link to learn more about user management with GateKeeper (without any integration with
the NT or 2000 database).

To learn more about user management for WinGate with NT integration click on any of the topics
listed below:

Importing Existing Users and Groups from Windows NT / 2000

User and Group Management (NT vs WinGate)

User Authentication Methods (NT vs WinGate)

Managing WinGate Users & Groups with NT

>> Click on the image hotspots for interactive popup help!

364
How to access this dialog:

From the GateKeeper Control Panel/ User tab select Database options.

Managing the user database involves routine tasks such as adding, deleting or updating user and group
accounts. If WinGate is installed on a Windows NT or 2000 system, you can choose to manage this from
the NT user manager. If you choose to use the NT user manager, WinGate will synchronize itself with
any changes made in NT – you should no longer attempt to add, edit or remove users from within
GateKeeper.

Managing with NT / 2000 User Manager

This is the approach we recommend (though it is turned OFF by default), because it allows you to
manage users and groups from a single location. Having a single database makes it less likely for security
holes to arise at your Internet gateway (e.g. user accounts of ex-employees still enabled by mistake).

NT does not notify WinGate when a change occurs to the user database. Therefore, WinGate checks for
changes and will re-synchronize if necessary:
• When the WinGate Engine starts up (i.e. after a reboot or a manual stop / start of the engine);
• When an unrecognized user attempts to authenticate (this tips WinGate that a new user may have
been added to NT).
• When a member of the administrator group logs in to GateKeeper (this is optional).

365
Important Note on Guest Account:
The guest account is handled specially by WinGate as it must be enabled in order for DHCP to function
properly. The "enabled" status is handled by WinGate so will always be independent of NT (i.e. what
ever you set this as in GateKeeper will never be overwritten by a re-synchronizing with NT).

Managing User Database with WinGate (via GateKeeper)

To learn more about this feature click on the topic listed below:

Using the WinGate to Manage the User Database (instead of NT)

Authentication Methods for WinGate Services

How to access these controls:

From the GateKeeper Control Panel/ User tab select Database Options.

Selecting a method for user authentication is important as it forms the backbone of user and group policies
for WinGate Services. You select where to check for a match when a user enters a name and password
when attempting to access a WinGate service.

You should be familiar with the following topics before continuing:

Security concepts in WinGate
Ways to Authenticate Users with WinGate

NT-based authentication will work for the following WinGate authentication methods:

366
 • WRP Service (via the WinGate Internet Client),
• Remote Control Service (via GateKeeper).

NT-based authentication will NOT work for (read the note below on why it does not work):

• WWW Proxy Service (via the Java Client),

• SOCKS5 Proxy (passed in plain-text as specified in RFC1929),
• Telnet_Proxy (passed in plain-text).

WinGate User Passwords

This option is only available if you are using the traditional WinGate user database (i.e. no NT/2000 user
database integration). When a user must be authenticated, the supplied user name and password
(credentials) will be checked against those stored at the server.

Note:

If you have imported users from another source (e.g. text file or NT ) this password will be "blank – you
will need to set these. Once a WinGate password has been set for a user account it is stored in an
encrypted format.

Windows NT / 2000 User Passwords

This option is the most secure, but is only available when you have chosen to use the NT / 2000 database
with WinGate. It will allow users to enter an NT username and password to authenticate with WinGate.
This builds upon the tried and tested strength of NT security.

WinGate will always try to use the current login details first, whether the user is logged into Windows
NT, 2000, 95, 98 or ME. If this fails then the user will be asked to enter their NT credentials. At this
point WinGate uses NT to verify whether the password is correct – WinGate never knows, stores or
transmits the NT password in anyway (it simply passes any details to NT where they are confirmed
or denied).

Either WinGate or NT Passwords (any match)

This is a combination of the two approaches outlined above. WinGate will first check for a match with
the NT account. If this fails then it will try for a match with the WinGate password.

This methods is required if you wish to use the Java Client to authenticate non-Windows users on the
LAN (and also if you wish to use insecure SOCKS5 or telnet authentication).

367
Warning!

If you have imported user accounts from another source (like NT or a text file) then the WinGate
password will be "blank" – it is critical that you set this for each user before using this method.

Important Notes on Authentication:

• Passwords for both NT and WinGate are always case-sensitive (i.e. password, Password &
PASSWORD are not treated as equal)
• Once a user has successfully authenticated with WinGate, he/she will be able to access any WinGate
services for the duration of the session (this is because WinGate now recognizes any requests from
that PC as coming from an authenticated user)
• If using NT-authentication, an NT account is required for each WinGate user, as WinGate will show
the users from the NT users database. Note that if you change to NT Authentication, some WinGate
users may disappear if there is no corresponding NT user.
• WinGate never stores or records NT passwords – it uses NT to verify their correctness.
• The Java Client, Telnet and SOCKS5 authentication can not be integrated with NT. This is because
they rely on sending passwords in clear text (unencrypted or with minimal encryption). These
methods will still work with WinGate, but you must have "Either WinGate or NT passwords (any
match)" selected.

Importing & Exporting WinGate Users

There are various methods available for importing and exporting WinGate users and group information.
The user database wizard enables the administrator to import or export all users and groups’ information
to and from text files.

Users can also be imported from an existing Windows NT or 2000 user database. Once you have done
this you can continue to manage users from the NT/2000 user manager (and WinGate will continue to
import any changes).

How to Import User Information to WinGate From…

A Windows NT4 or 2000 user database

A text file (tab delimited only!)

How to Export WinGate User Information To…

368
 a text file (comma or tab delimited)

Importing Users & Groups from Windows

The NT integration feature can be used to perform a one-time import of user and group names, details and
group associations. Once they have been imported you can then continue to use WinGate for group
management as usual (or you may choose to use the NT user manager). This feature can make an
administrators life easier when setting up WinGate for the first time on a new server.

Note About NT / 2000 Passwords!

WinGate can NOT (and never will be able to) import passwords from NT / 2000 because this could
compromise Windows security. Therefore, imported NT user accounts will always have a "blank" or
"empty" password. Click here to find out more about why the WinGate password is still required.

How to Import Users From NT

I am setting up WinGate for the first time on a Windows NT or 2000 computer.

All NT user and group accounts will be created with the same details held by NT except for
passwords. The WinGate password will be blank until you set it to be something else in GateKeeper
(see note above).

Follow these steps:

1. In GateKeeper, select the User tab from the control panel

2. Double-click "Database Options"

3. Under User & Group Management select the "Windows NT / 2000 User Database"
option

4. Click "Synchronize Now"

5. Under User & Group Management select the "WinGate User Database" option (this
means that you are no longer integrated with NT/2000 in any way).

I already have an existing WinGate user database but wish to "merge" it with the NT / 2000
database.

369
 In this case you probably have some duplicate accounts between the WinGate and NT databases
(WinGate will only consider two user accounts a match if the username is exactly the same i.e.
"matt", "Matt" and "MATT" are not the same).

Any existing WinGate accounts that also exist in NT will be "merged" – meaning that all NT details
will replace anything that was entered in the WinGate account except for passwords. If the user had
a WinGate password then this will be retained, otherwise it will be blank (see note above).

Any NT user accounts that were not found in WinGate will be created with the same account details
held by NT except for passwords. The WinGate password will be blank (see note above).

Related Topics:

Using NT Authentication with WinGate

Importing Users From A Text File

The ability to add and configure user and groups accounts is only available with a WinGate Pro
License. Therefore this feature can only be used with a WinGate 4 or Later Pro License
(WinGate 3 Pro users will be unable to access this feature – please visit www.wingate.com for
upgrade information).

This feature enables a WinGate administrator to import users from a simple text file (where the each
information field is delimited/separated by tabs). We currently do not support importing from a comma-
delimited file so you should always export from WinGate in the tab format).

You can import as much or as little information as you like – user names, passwords, descriptions, real
names, group memberships, user templates etc (even existing audit information if the details were
exported to a text file by WinGate).

Importing Users & Groups to WinGate

1. Make sure that you have a text file listing all user
information and that the text file is in a valid
WinGate format (see the sample in the WinGate
program files folder under \samples)

2. Open GateKeeper and go to the Users tab of the

WinGate Control Panel

3. Right click anywhere in this tab to view a popup

menu (displayed on the left) listing special user/group
management options

4. Select Import Users from the menu (see also Export

Users).

370
Configuring the User Import Wizard

>> Click on the image hotspots for interactive popup help!

This can save you time when migrating from one WinGate server to another (or when you must rebuild
your gateway computer). Run the User Export Wizard to first output the entire WinGate user database to
a text file.

It is also much faster for entering many users at once and can be combined with user templates for even
greater speed and control.

Tips About Importing Users

• Both user names and group names are case-sensitive to provide maximum security (this means that
the usernames "Matt", "matt" and "MATT" would all be recognized by WinGate as separate users)
• If a duplicate user is found (i.e. a user specified in the text file already exists in the WinGate user
database) the user import wizard will NOT re-import that user. This is a safeguard to ensure that no
existing user information is overwritten. To overwrite the existing user account you must first
delete that account with Gatekeeper

371
 • Passwords can be imported as "plain text" (unencrypted). WinGate will assume passwords are in
"plain text" if they are less than 40 characters long (otherwise it will assume that WinGate exported
them to the text file, and thus will be in an encrypted format). See note below on password security
• Once you have successfully imported user information into WinGate (users and groups) you should
always DELETE the text file (in the interest of security). This is especially important when
importing passwords in plain text
• When adding new users and groups to an existing user database it is a worthwhile precaution to
backup the WinGate registry (this will allow you to rollback in the case of any unwanted changes).

Related Topics:

Importing Users from NT

Exporting User Information from WinGate

Adding New Users

Adding New Groups

User Export Wizard

The ability to add and configure user and groups accounts is only available with a WinGate Pro
License. Therefore this feature can only be used with a WinGate 4 or Later Pro License
(WinGate 3 Pro users will be unable to access this feature – please visit www.wingate.com for
upgrade information).

Exporting Users & Groups from WinGate

1. Open GateKeeper and go to the Users tab of the

WinGate Control Panel

2. Right-click anywhere in this tab to view a popup

menu (displayed on the left) listing special user/group
management options

3. Select Export Users from the menu (see also Import

Users)

4. This will open the Export User Wizard dialog.

Learn how to configure this to export users below

372
Configuring the User Export Wizard

>> Click on the image hotspots for interactive popup help!

Tips About Exporting Users

• The user export wizard can also be used as a handy backup tool for WinGate. If you lose your
WinGate user database information (a corrupt registry or accidental changes) you can use a previous
export file to re-import the user database
Note: This must be exported into a tab-delimited format (not comma-delimited).
• When exporting user information passwords are stored encrypted (rather than in clear text). This
reduces the security risk of having passwords stored in a readable format
• Sometimes the exported file can be difficult to read in a text editor. If you want to view or edit the
information, open the file in Microsoft Excel (or a similar spreadsheet program). These programs
can easily import tab or comma delimited files.

Related Topics:

Importing User Information to WinGate

Adding New Users

Adding New Groups

373
Export Options
These are the optional fields to export (anything not listed here must be exported).

Note: If you choose to export passwords these will be the WinGate passwords, not NT (even if you have
chosen to use the Windows NT / 2000 database).

Export File Type

This is either tab-delimited or comma-delimited. A delimiter is another word for the separator between
fields of information. This option determines the format of the text file that will be created.

Note: WinGate can only import information in a tab-delimited format!!!

Export to Text File

You may choose to export the file to another directory (the default is to the WinGate program folder). If
you are exporting the WinGate user database as a backup, it is often wise to keep backups on another
computer (in case of a drive failure etc).

Merge Members
This option is only applicable when you are importing users in to an existing WinGate User Database
(that already contains the standard or custom users and groups).

If works like this – say you already have Jim & Bob in the Administrators group. Now you are
importing a new Administrators group that has a member Harry. After the import is complete the
Administrators group will consists of Jim, Bob and also Hary (only if the merge option is on).

Template / Members Field

This option shows the group associations of the imported user information i.e. which group each user
belongs to (and the members for each group).

Password Field
The password filed is an optional export – it is encrypted and will always contain the WinGate user
password (never the NT password, even when you have chosen to use the NT database with WinGate).

Open / Delete Buttons

Open: This will launch a browse dialog so that you can select a text file from which to import user and
group information (this MUST be in a tab-delimited format).

374
Delete: Once you have selected a file to import, you have the opportunity to remove any user or group
records that you do NOT want imported. When you press OK the remaining record will be imported to
the WinGate User Database.

NT Database Options
These options will only be available when you have selected to use the Windows NT/2000 user database
for user and group management.

Synchronize Now: WinGate will check the NT / 2000 database and update itself to reflect it immediately.

NT User Manager: Launches the NT / 2000 user manager dialog. This allows you to continue operating
from within GateKeeper while managing your users and groups from within NT / 2000.

Scan for updates when: WinGate will automatically synchronize itself when the engine is re-started &
also when an unrecognized user attempts to authenticate (this tips WinGate that a new user may have been
added to NT). You can also choose for this to occur when an administrator logs in.

Note: If you have several hundred users then you should disable this option to enable faster logons to
GateKeeper.

User Authentication
Click here to learn more about WinGate authentication methods

Extended Network Support

>> Click on the image hotspots for interactive popup help!

375
 Network Address Translation (NAT) is a key feature of the ENS (Extended Network Support).
NAT extends WinGate with powerful yet flexible Internet sharing.

NAT enables you to share an Internet connection amongst networked computers running virtually any
application on any platform (including Windows, MacOS, Unix and Linux).

Click here to learn about the advantages of NAT method.

Click here to learn about using the proxies and the WGIC to compliment NAT

Click here to learn how NAT works.

Why Use WinGate NAT Connectivity?

NAT can provide your LAN with -

Fast and seamless low-level sharing of a connection to the internet

376

Access to a shared connection for computers running any TCP/IP supporting platform (e.g.
Windows, Macintosh, Unix, Linux) and virtually any client application (web browsers, mail
programs, newsgroups, FTP etc);

NAT cannot provide your LAN with -

 Control of Internet users with detailed rules and policies.

Where you want tight control over users Internet usage or run server applications you should use WinGate
Proxies or the WinGate Internet Client. NAT is most useful where you want to provide shared outgoing
Internet access to a network.

Click here to compare NAT, WGIC and Proxy methods.

Click here to learn more about integrating WinGate connectivity methods for maximum
connectivity.

Comparing NAT, WGIC and Proxy Methods

The table below outlines the three methods of Internet connectivity used in WinGate 4. You can use this
table as a guide to matching the WinGate methods to your requirements. When you are familiar with the
benefits and drawbacks of each method, you can learn about making NAT work together with the WGIC
and WinGate Proxies.

The table shows that NAT is the easiest to use, most compatible with your software and the fastest. The
biggest advantages of the WGIC are the ability to accept incoming connections, solid control over your
connection with configurability, and high security. Proxies are best for configuration and security.

To provide maximum connectivity and functionality you need to be able to use a NAT, WGIC and the
Proxies. All of these are included with WinGate 4.

Property NAT WGIC Proxies

Easy to configure client PC

377
 Speed

Security

Configurability

OS Compatibility

Software Compatibility

Accept incoming connections from

other computers

Integrating NAT with WGIC and WinGate Proxies

This section explains how to integrate the WinGate connectivity methods so that they work together. By
integrating these methods, you can satisfy virtually any requirement for Internet connectivity.

The purpose is that you can setup any application to use the method that best suits your requirements for
it. You can do this easily for applications running on the same computer or on the same network, because
NAT, WGIC and WinGate Proxies all work completely independently of one another.

This topic consists of the following sections:

• Quick Guide to Using Either Method

• NAT and the WGIC
• NAT and Proxies

378
Quick Guide to Using Either Approach

Method How to configure your applications to use it

Use DHCP on client computers. This will automatically assign the

default gateway and DNS server to point to the WinGate server
NAT computer. If using static IPs, ensure that their Gateway and DNS
entries are set to point to WinGate. Set the application to connect
directly to the internet;

If the WGIC is installed, you must configure the application to run in

‘local mode’ (see below) so that it is ignored by the WGIC.

Make sure the WinGate Internet Client is installed on the client

computer (and that you have the WinGate DHCP server enabled);
WGIC
Set the application to connect directly to the internet. By default, the
application will use the WGIC to connect to the internet and to accept
incoming connections.

All proxies are installed with WinGate 4 Pro and Standard Licenses. If
you chose not to install the proxies at installation, you must install the
Proxy relevant proxy e.g. to surf the web using a proxy you must install the
WinGate WWW Proxy;

Set the application to connect to the Internet using a proxy server (this
must be the WinGate server computer).

NAT and the WGIC

This combination is the most effective for client computers running their applications on a Windows
platform. It allows users to maximize their ability to share an Internet connection (both outgoing with
NAT and incoming with WGIC), while giving you a high level of control over any applications you
choose to administer more carefully with the WGIC.

If the WGIC is installed it will provide the default connectivity for every client application trying to
connect to the Internet from that computer. To use NAT you must tell the client to ignore a particular
application.

379
 Follow these steps to use NAT and WGIC on the same client computer:

1. Make sure your ‘Default gateway’ points to the WinGate server computer (this is done
automatically if DHCP is enabled)

2. Make sure that your Windows applications are configured to connect directly to the Internet

3. Install the WGIC on the client computer (it will handle all access to the Internet unless you to
explicitly tell it to ignore a particular application)

4. Go to the control panel and open the applet named ‘WinGate Internet Client’

5. Select the ‘Application’ tab and click the ‘Add’ button

6. Select an application that you want to use NAT e.g. Netscape.exe (if you do not know the name of
an application .exe, click on the ‘Browse’ button and look for that application on the local drive)

7. Select ‘Local Network Access’ and the selected application will be ignored by the WGIC (in the
screenshot below the user is configuring Netscape to use NAT)

8. Repeat this process for each Internet application that you want the WGIC to ignore (and therefore
use NAT)

9. Click on the ‘Apply’ button, and then click ‘OK’.

NAT and proxies

Although in most cases NAT and the WGIC will satisfy all requirements for Internet sharing, sometimes
the WinGate Proxies are necessary.

380
If you decide to use a proxy you must separately configure each application individually. This will
require specifying the WinGate server IP address and the port that the proxy service is running on (this is
displayed next to the service in GateKeeper).

Note:
If you configure an application to use a proxy, it will not use NAT.

Recommended Network Configurations

MS-Windows Systems

If the client is a PC running Microsoft Windows, we recommend the following setup:

1. Enable DHCP so your client computers are automatically assigned IP addresses and default
gateway settings

2. Install WGIC on client computers

3. If you simply want applications to use NAT, then set these to run in ‘local mode’ in the WGIC
control panel applet. Click here to learn how to do this

4. Any applications that are not set to run in ‘local mode’ will use the WGIC (so long as the WGIC is
properly installed). These applications may accept incoming connections and can be closely
controlled with policies through GateKeeper.

Non-Windows Systems

If the client is a computer running anything other than Microsoft Windows (like MacOS, Unix or
Linux), we recommend the following setup:

1. Enable DHCP so your client computers have automatically assigned IP addresses and default
gateway settings

2. Ensure all client applications are set to connect directly to the Internet (this will ensure they use
NAT). This is nearly always the default setting

3. For server applications that accept incoming connections, setup a TCP mapped link in
GateKeeper.

Click here to learn more about integrating NAT, WGIC and Proxies.

381
How NAT Works

When two computers are on a local area network (the same subnet), they have a direct connection to one
another. This means that they can send data directly to one another. If the two computers are on different
subnets then they no longer have a direct connection. Something must forward the data between these
subnets, and this is called a router (it can be hardware or software). This is the case whenever your
computer is attempting to connect to another computer on the Internet (e.g. to view a web page).

NAT is a ‘low-level’ approach to sharing an Internet connection. NAT stands for Network Address
Translation. This works in a very similar fashion to a software router, whose job it is to forward packets
between different subnets in a larger network (you can think of the Internet as a single very large multi-
sub-netted network). Routers know enough about the other subnets around them to enable them to
forward packets to the right one, so that they will eventually reach their destinations. A NAT does this
forwarding but with an important difference.

NAT is used to share a single public IP between multiple client computers, each with their own unique
private IP addresses. When a client attempts to connect or send data to a machine on the Internet it
forwards the data to the NAT. The NAT then substitutes the original private IP in the packet sent from the
client with its own. The remote computer sends packets back to the NAT computer (running WinGate),
because they think that the WinGate server was the source of the data sent. NAT keeps a record of which
computers sent packets on which ports, it is able to pass the incoming packets back to the correct
computer.

NAT performs the following tasks:

• It changes the source IP address to be its own IP address. This means that data received by the
remote PC looks like it originated from the computer running NAT
• It sends the data to the remote PC and remembers what port it used.
• When data is received from the remote computer on this port, the data is forwarded to the client.

Requirements are Minimal for Client Computers

Default gateway support is part of TCP/IP. NAT simply acts as this gateway, and forwards data if it
knows that it is destined for the Internet. Default Gateway configuration is done automatically if you use
WinGate's DHCP server.

Does This Mean That NAT Will Work for Any Application Protocol?

Protocols that use multiple connections, or multiple paths for control and data (like FTP, or RealAudio),
may not work standard in a NAT.

382
Take FTP. When you start an FTP session, you get a connection made by the FTP client to the FTP
server. The client logs in, and then requests the transmission of a file, or a directory listing. You will see
something like (in some FTP clients) a PORT command. What this command is doing is setting up a data
connection to actually send the file or directory listing back to the FTP client. The way this works for a
PORT command is that the client is effectively telling the server "hey - connect back to me on this IP
address, and this port for a data connection".

The problem is that the client tells the server to connect back to it on its own internal IP address (it has no
way of finding out any other), and this address is not reachable by the server. If the server tries to connect
on this address, it will fail.

Most NAT solutions (including WinGate's) implement special support for the FTP protocol, so that NAT,
when forwarding the packets, sees the PORT command, and replaces the IP address in the data of the
packet.

A NAT can only do this for protocols that NAT developers know about, and so other proprietary
protocols that negotiate secondary connections for data may not be supported by a NAT. Also,
implementing support for individual protocols in a NAT is an uphill battle, increasing the complexity
(reducing reliability) and development costs for NAT vendors. In light of this, you can see that NAT is
not always the ‘fix-all’ for shared Internet Connectivity.

Can NAT support server applications?

In most circumstances NAT will support listening servers.

There are some requirements:

• The running the server must have a static IP.
• You must setup a port redirect on the Port Security tab of ENS.

This will forward incoming connections to the server. This approach may not always work if multiple data
connections are setup between server and client. Mapped links are a superior method.

Why is NAT faster than other connectivity approaches?

NAT is fast because NAT does so little. It rewrites a few fields in each packet of data, and remembers a
table of port mappings. ProxiesOther methods have to domuch more work. A downside to the speed of
NAT is that it does not presently use caching like the WWW Proxy.

What transport protocols does NAT work with?

383
The NAT is designed to read the information in IP packets only. This means that it supports the IP related
protocols such as TCP , UDP and ICMP.

WinGate Home

Welcome to Help for WinGate Home! Specifically designed with the home user in mind, WinGate
Home can be used to share an Internet connection on your home network. WinGate Home is so simple
that anyone can use it.

Featuring a simplified interface and 100% automatic configuration, it is the superior solution to Internet
sharing in any home or small business environment. Click on either of the links below to learn how to get
the most from WinGate Home.

Where Do I Start?

Go There! First check out how to use WinGate Help and its
interactive features;

Go There! Learn about the features in WinGate Home (what you
have and what you’re missing out on).

Go There! You may want to learn a little more about what WinGate
Home is and how it does its job.

Once you are familiar with WinGate Home you should learn all about:

GateKeeper - the user interface to view Internet activity over your network (as real-time activity or as
history) and to tweak various WinGate settings.

WinGate Dialer – what WinGate uses to connect your network to the Internet via your modem
(unless you have a direct connection).

384
 WinGate™ © 1999 by Qbik New Zealand Limited, All Rights Reserved.

Click here to learn more about Qbik and what we do.

What's New in WinGate Home?

This topic provides a brief outline of the new features in this WinGate Home release. It does not include
a list of bug fixes, improvements or other changes – these can be found under
Start/Program/WinGate/WinGate Information. For information on how to upgrade, click here.

Network Extensions

WinGate Network Extensions dramatically improve WinGate’s ability to share Internet access and
provide security on your LAN. They consist of General Purpose Internet Sharing (NAT), bridging of
multiple sub-networks and a packet-filtering firewall that works out-of-sight to provide increased
protection to information on your home network.

System Messages

The Administrator System Log is a diagnostic tool to help you fix common WinGate configuration
problems. Each log message includes integrated support with the help file, enabling you to fix common
problems quickly.

What is WinGate Home?

The primary benefit of WinGate is its ability to allow multiple computers to share a single Internet
connection. This eliminates the need to add additional phone lines, Internet access accounts, modems, or
expensive dedicated circuit hardware in order to provide Internet access to multiple computers. By sharing
a single Internet account and connection with WinGate you can provide Internet access to an entire
network with immediate cost savings.

WinGate also protects your internal network with its firewall component. The WinGate firewall blocks
intruders from breaking into the computers on your network. This is because the computers are not

385
visible on the Internet in that they exist "behind" the WinGate server. Only the WinGate server is directly
connected to the Internet.

With Standard and Pro licenses you get WRP, NAT and also WinGate Proxies. These are the three
ways WinGate can share your Internet connection (depending on what fits the application best).
However, with Home you only get WRP (Winsock Redirection Protocol) and NAT (Network Address
Translation). WRP and NAT are ideal for home users as they both require zero configuration.

General Purpose Winsock Redirection

Internet Sharing Protocol (WRP)
(NAT)

NAT is implemented automatically WRP is implemented by way of the

if you are using WinGate DHCP WinGate Internet Client (WGIC). It can be
(this is the default in any install). used for both outgoing and incoming
connectivity needs. However, the advent of
This means that any computer on NAT has meant that the client is no longer
your network will have access to the necessary for outgoing Internet access.
Internet "automatically".

You will only need to use WRP if you want

to run server applications behind the
WinGate firewall (e.g. web or ftp servers).
You can read much more about this in the
WinGate Internet Client help file.

Learn more about NAT … Learn more about WRP…

Home GateKeeper

386
GateKeeper is the user interface for WinGate. It has been simplified and cut-down from the GateKeeper
interface used in Standard and Pro versions of WinGate. When you first open GateKeeper the main
window will show the name of the WinGate server and your GateKeeper connection, until there is
Internet activity somewhere on your network.

GateKeeper is used to tweak various WinGate settings and to view Internet activity over your network (by
toggling between views) as either:

Internet activity is displayed in real-time so you can view what your users are accessing at
any time e.g. web requests, email checking, ftp downloads etc.
Activity

All activity is recorded in a database that you can view from GateKeeper. This
information is useful from a security point of view, since you have a permanent record of
History Internet activity on your network.

Unlike with the Standard and Pro licenses, you will not have to login to GateKeeper as there are no users
or groups in WinGate Home. Also, as WinGate Home requires next to no setup, there are very little
options available for users to configure.

Note:

A limited number of Advanced Options can be made available by running GateKeeper with a /a switch.

387

Click here to learn more about this.

History in WinGate Home

All activity is recorded in a database that you can view from GateKeeper. This
History information is useful from a security point of view, since you have a permanent record
of Internet activity on your network.

With GateKeeper, (from the Options menu) you can configure some of the items that
are written to the history database.

File Menu in WinGate Home

388
View Menu in WinGate Home

389
Options Menu in WinGate Home

Help Menu in WinGate Home

390
Dialer in WinGate Home

Dialing an Internet connection with WinGate is the same for Home, Standard and Pro licenses.

See:

Dialing in WinGate

Advanced Options in WinGate Home

From the Command Prompt (Start Menu/Programs/Command Prompt) go to the WinGate directory and
run gatekeeper with the /a switch. The Advanced Options in WinGate Home allow you to configure three
settings. You will probably never need to change any of these settings but some rare situations may
require you to do so.

Enable DHCP Service

DHCP is essential to Home users as it makes many complicated changes to the networking settings of the
computers on your network. It plays a central role in making WinGate Home installations "self-
configuring". This option is usually enabled.

The only time you will want to turn this off is if you are running another DHCP server on your network.
If you choose to use another DHCP server (we do not recommend this) then you will need to make sure
the "router" setting points at the IP address of the WinGate server (this is required to use NAT).

Enable DNS Service

391
DNS is essential to Home users. This option is usually enabled. The only time you will want to turn this
off is if you are running another DNS server on your network.

Network Extensions for WinGate Home

The Extended Network Support Driver provides exciting new functionality for WinGate Home users –
General Purpose Internet Sharing (NAT), support for bridging multiple sub-networks and a full-strength
firewall. Most of these features are the same as they are with a WinGate Standard or Pro license except
the firewall, which is a simplified and cut-down version (users do not have access to the custom mode).

Where Do I Configure Network Extensions?

392
In WinGate Home, the Network Extension properties are accessible from the "Options" menu (see above).
There is next to nothing to configure but you can enable/disable most of the features and also select a
security level for the firewall.

What Features Do I Get With A Home License?

Home users may only turn the default settings for each feature ON or OFF (Standard and Pro users can
configure and tweak these features to meet the individual requirements of their LAN).

General Purpose Internet Sharing (NAT)

NAT refers to "Network Address Translation" – a powerful network technology that enables
computers on your network to directly access the Internet by sharing the connection on your
gateway (WinGate) computer. It is a groundbreaking feature as it:

 Requires NO manual proxy configuration or client software,

 Supports virtually ANY operating system (including MacOS, Linux, Unix, and of course any
Windows PC).

Support for Multiple Subnetworks (router)

This allows you to share drives, files and other resources between computers that are connected
to separate sub-networks. If the WinGate computer has a network card plugged into both sub-
networks, it is then able to "route" any required data between them (TCP and UDP data only).

Security Firewall Protection

The new firewall ad security technology in WinGate is implemented with low-level filtering of
individual TCP and UDP packets (the type of packets used to send or receive any data from the
Internet. Full-strength firewall protection is an entirely new addition for all WinGate users – it
offers the level of security and protection required for your gateway computer.

Help for WinGate Home

393
Clicking this button will launch the main help screen for WinGate Home. You can view the Table of
Contents for help from the ‘Help’ menu (there is a specific branch for Home users).

This is the full help file for all WinGate versions so you can browse other topics to learn more about
advanced features only available with WinGate Standard and Pro licences.

Proxies

The normal meaning of the word proxy is someone who does something on behalf of someone else, e.g.
voting by proxy. The Internet use of the word has the same meaning but refers to a software program.
WinGate does things on behalf of other software programs. Specifically, WinGate makes Internet requests
to Internet servers on behalf of Internet clients. It is important to remember that WinGate does the proxy
work, not GateKeeper.

Important Note:

The WinGate Internet Client (WRP-based) and General Purpose Internet Sharing (NAT-based) have
decreased the importance of proxies. However, proxies are still required if you wish to connect non-
Windows PC’s through WinGate or prefer to have per-service control with policies.

The Typical Proxy Scenario: A Web browser accessing the Internet through a proxy server.

In this case, the Web browser has been configured to work through a proxy server. In normal cases, this
appears transparent to the user, as though the browser were communicating directly with a web server
(which it is not).

1. A Web client connects to WinGate

2. The client sends a proxy-request to WinGate (e.g. ‘get me this URL’)
3. WinGate interprets the request, and if it is allowed, connects to the server specified in the request
4. WinGate makes a modified request to the Web server, as if WinGate were the web browser itself
5. The server sends the file to WinGate
6. WinGate passes the file to the Web browser.

The other proxies in WinGate work in much the same way; the client submits a request, WinGate
interprets and evaluates the request and performs it on behalf of the client, passing back any data to the
client as necessary.

It is important to note that, when using the Internet through WinGate, at no time are you directly
connected to any computer beyond your LAN. You may seem to have a connection to the Internet, but
this is because WinGate is connecting out for you and passing data back to you. This means that in ALL
circumstances, the computer wanting access to the Internet connects to the computer running WinGate
(the ‘WinGate server’).

394
One of the first questions that should spring to mind is "How does WinGate know which server to connect
to?" The answer to this is simple - you have to tell it. Many applications can tell gateways where to
connect to (e.g. Netscape, WS_FTP) but some cannot (i.e. News, IRC and others). When the application
cannot tell WinGate where to connect to, the user must pre-configure WinGate to connect to a given
computer. This is where the Mapping Proxies in WinGate come in. Mapping Proxies are a way of telling
WinGate in advance where you want it to connect.

Some software can detect a proxy server automatically if instructed to do so. However, most other
software require that you specify your proxy server IP address and port number. When you are using
WinGate proxy server, you must specify the IP address and the port number of the WinGate server.

Integrating WinGate Proxies with Other Servers

Back to Services

Some computers have servers other than WinGate running on the WinGate server. Most (probably all) of
these servers will run alongside WinGate very smoothly. The main point to remember is that you can
only have one application listening on any one port at any one time. There are two common ways to
achieve this.

Proxy option:

You can change the port that the conflicting WinGate service is running on. You will have to enter the
new proxy details into client’s setup or make use of the PAC files.

Example:

A company has an FTP server for staff to use. They have a full-time connection to the internet.

The administrator decides to install WinGate, to allow the whole network to access the Internet.
1. He installs WinGate on the computer that is connected to the Internet and runs GateKeeper
2. In GateKeeper he sees that WinGate FTP service on port 21 failed to start
3. He changes the WinGate FTP Service port to 8021
4. Now in all the FTP client applications, 8021 is used for the firewall port
5. The FTP server still runs on port 21.

395
Non-Proxy option:

The best solution is to change the port on which the server (not the WinGate service) runs. It is usual to
add 8000 to the original port number, e.g. 8080 for WWW servers, or 8110 for POP3 servers. Then, with
a small alteration to the proxy, you will have seamless access to both the server and the proxy.

Example:

A company has a WWW server for the company web pages. They have a full-time connection to the
internet.

The administrator decides to install WinGate.

1. He installs WinGate on the computer that is connected to the Internet and runs GateKeeper
2. In GateKeeper he sees that WinGate WWW service on port 80 failed to start
3. He changes the WWW server to run on port 8080
4. He opens the WWW proxy properties and selects the Non-proxy request tab
5. He selects Pipe request through to a predetermined server
6. He enters the IP of the WinGate server, and port 8080
7. He saves this configuration and restarts the service
8. Client configuration is the same as for normal proxy use and the Web pages can still be accessed
normally.

Servers on different computers

With WinGate, it is easy to run servers such as mail, FTP or WWW on different computers. These
computers connect to the Internet via WinGate. This is simple, and can be more secure.

The two common ways to achieve this are these.

• Use a mapped link from the appropriate port on the WinGate server to the server on the workstation,
or
• make use of the Non-proxy capability of the WinGate services to pipe to the server on the
workstation.

The non-proxy approach is often convenient as it allows both proxy and non-proxy operations on the
same port.

396
Integrating WinGate with a Web Server

Back to Services

With a Web server you have 2 options:

Proxy option:

If you change the port on which the service in WinGate is to run, it is common to use port 8080, or port
90. You will have to enter the new proxy details into clients’ browser setup or make use of the PAC files.

Non-Proxy option:

The best solution is to change the port on which the Web server (not the WinGate WWW proxy) runs.
Typically, this would be changed to port 8080. Then, with a small alteration to the proxy, you will have
seamless access.

1. In the GateKeeper setup for the WinGate WWW proxy, select the Non-proxy request tab and
select the option: Pipe to predetermined server.
2. In the Server field, enter the name/IP of the computer your Intranet Web server is running on.
This could be the same computer that WinGate is on, or another computer on your LAN or even
somewhere else on the Internet.
3. In the port field, enter the port on which the Web server now runs.

Now, when a proxy request in made, normal proxy operation takes place. But when a non-proxy request
takes place, - such as a hit on your web pages, the request is piped through to the Web server specified.

Click here for more information about the Non-Proxy options available.

Integrating WinGate with an Email Server

There are two issues here, SMTP (for sending mail) and POP3 (for retrieving mail).

397
For SMTP you have two options, you can run the SMTP server on a different port (eg 8025), and have
mappings setup from port 25 to the new port. This allows you to track access to your SMTP server with
the WinGate logging.

Note:

Incoming mail will count as a user in the license count with this setup.

If you do not need to know data details about mail you are receiving, then simply delete the mapped link
on port 25, leave the server on port 25, and WinGate won’t deal with SMTP at all.

When sending mail, clients send to the server ‘wingate’.

Setup up the POP3 server on a different port, for instance 8110, and in the POP3 proxy make the
following changes with GateKeeper.
1. Select Non-proxy requests
2. Choose the Pipe option
3. In the server box, enter your mail server name (e.g. mail.com-vision.com) or ‘wingate’
4. Enter the new port number for the POP server

When checking Mail, users on the LAN will check their user name, at the server ‘wingate’. In Eudora
this would be user@wingate.

Click here for more information about the Non-Proxy options available.

Integrating WinGate with a FTP Server

You can run the proxy on a different port, e.g. 8021 or use the pipe method to pipe Non Proxy requests to
the FTP server on the different port.

The best solution is to change the port on which the FTP server (not the WinGate FTP proxy) runs.
Typically, this would be changed to port 8021. Then with a small alteration to the proxy, you will have
seamless access.

1. In the GateKeeper setup for the WinGate FTP proxy, select the Non-proxy request tab and select
the option: Pipe to predetermined server

398
 2. In the Server field, enter the name/IP of the computer your FTP server is running on. This could
be the same computer that WinGate is on, or another computer on your LAN or even somewhere
else on the Internet
3. In the port field, enter the port on which the Web server now runs.

Now, when a proxy request in made, normal proxy operation takes place. But when a non-proxy request
(i.e. someone is accessing your FTP server, the request is piped through to the FTP server specified).

Click here for more information about the Non-Proxy options available.
Winsock Redirection Protocol Service

The WRP Service runs on the WinGate server and implements the WRP (Winsock Redirection
Protocol). WRP allows your Internet applications to run as if they are directly connected to the Internet.
Once the WinGate Internet Client (WGIC) is installed on your client computers, no Internet software
configuration is needed. Previous versions of WinGate required each application to be configured
manually for proxy operation. This is no longer required, although any proxy-configured software will
still work.

399
The WRP gives all your applications the benefit of being directly connected to the Internet, while
enjoying the benefits of a proxy server and the security of a firewall.

WRP allows your client applications to:

• Make TCP connections (e.g. WWW browsing)
• Accept TCP connections (e.g. like a WWW server)
• Send UDP data (EG Streaming applications like Real Audio)
• Accept UDP data (EG like a RA server).

How does it work?

WRP works like this: an Internet application on the client computer attempts to make a connection to a
computer on the Internet. The WinGate WRP client detects this and determines what kind of request it is.
If it is a connection to a computer on the same network, the client lets the application make the connection
directly. If the client tries to connect to a computer on the Internet, (i.e. it is not on the same network)
then the WRP client ‘catches’ the connection and sends it to the WinGate WRP service. WinGate then
makes the connection as if it was the client computer, and because it is directly connected to the Internet,
it succeeds.

What needs setting up?

In a word, nothing! Let’s look at the configurations normally required and how this is overcome with
WinGate.

Configuring TCP/IP

With WinGate DHCP, you don’t need to configure TCP/IP. Just install it, and it works. All your
computers are automatically given IP numbers.

Configuring applications

Applications no longer need any configuration to use the Internet. WinGate Internet Client takes care of
this.

The WRP service is fully configurable, however its default configuration is designed to be optimal for
most situations. A great feature of WRP is that you no longer need to have different proxies for different
services. WRP is a new connection method that allows connections to be handled natively instead of at an
application level. While you can still have separate proxies, you only need them if you want specific
control over those services. Most people will only need WRP, DHCP, DNS and RCS servers.

400

WRP FAQ

WRP Application Modes

When the WinGate Internet Client recognizes that an application is trying to bind to a system port number
(port number less than 1024), it assumes that the application is a server-style application (i.e. it waits and
listens for incoming connections from other computers).

WinGate looks at the name of the application, and it saves this information with a mode parameter. When
you open the control panel applet, the name and details will be listed, and you can modify the selected
mode. Internet applications that run on a computer with the WinGate Internet Client installed have a
mode associated with the way they are allowed to operate.

Local Access Mode:

When an application is set to run in Local Access Mode, it is ignored by the WGIC. This means that no
outgoing or incoming requests for Internet connections will be redirected by the WGIC. This mode is of
key importance when using NAT together with the WGIC on a single computer. Any applications that you
want to use NAT for outgoing connectivity must be set to run in Local Access Mode.

Mixed Access Mode:

This mode allows the applications to make outward connections using WRP, but will not allow incoming
connections from the Internet via WRP. Only computers on your local network will be able to connect to
this application. All applications will be set to run Mixed Access Mode by default.

Global Access Mode:

Applications set to run in Global Access Mode will have full connection ability. They can accept
incoming connections and can make outgoing connections using WRP. For your server application to be
externally accessible, it will need to operate in this mode.

WRP Compatibility

401
Applications that make only outgoing connections (called client applications) are fully supported by
WinGate WRP. This covers the bulk of client applications: web browsers, email, FTP etc.

Any application that accepts incoming connections (called server applications) on a fixed port will be
limited to running one copy per WinGate installation. This is because WRP causes the corresponding port
on the WinGate server to be bound and "listen".

Conflict arises when a second application attempts to associate/bind to the same port. This can be
overcome on the network by changing the port on which the server listens, or using a mapped link in
WinGate and disabling the WinGate client. Any application that listens to a predefined port is in this
situation. If the port can be changed, then conflict is avoided.

See also:

Note for Application developers

Notes for Winsock Application Developers

This topic contains some suggested guidelines for developers of WinSock 2 applications. By following
these guidelines, developers will help to ensure that any software they write will interact with the
WinGate Winsock Redirection Protocol (WRP).

1. Avoid at all costs implementing protocols where the client explicitly tells the server what its IP
address or port is for any connection or transfer of data back to the client. This is for the following
reasons:

a) A client cannot be expected to even know it's real IP address on a NAT system, and there may
not even be a mechanism to discover it

b) The server can always use getpeername() to find out where the client is communicating from,
so transmitting the information is often redundant (and can be misleading).

2. Avoid at all costs using fixed port numbers in the client application. If the client needs to accept a
connection, or receive data on a port number, this number should be allocated by the operating
system (by calling bind() with a port number of zero), and the resultant port number transmitted to
the other end. Take care also when doing this, as it may break some NAT systems. The best way is
to have any connections required initiated by the client.

402
3. Consider that any computer can be multi-homed. So, calling gethostbyname() on the result of
gethostname() and using the first returned IP address will break many applications. If you must
know your IP address, obtain it in terms of the interface on the local computer that will see the other
host that is the other interested party in the communication. You can do this by either:

a) If you have a TCP connection open to the other party, call getsockname() on that socket to
retrieve your IP address

b) Else, if you have no connection, make a dummy connection to a known service on the other
party, and then call getsockname() on the connected socket

c) Or if you cannot know about any specific service to connect to, bind a dummy socket to each
known interface, and try a connection to the other party on a random port. The connection will
fail quickly with WSAENETUNREACHABLE if you are trying the wrong interface. You will
get either a successful connection, or a failure of connection refused you are on the right
interface

d) Or use SNMP to enumerate the route table on your computer, and work out the interface IP from
that

e) Or use Winsock 2 calls to determine the correct interface.

Additional Notes:
• When using WRP and the WinGate Internet Client, or a socks client and server, ALL client
computers will immediately become multi-homed. For this reason guideline three becomes
particularly important.
• Some circuit-level proxies hook calls to getsockname() and getpeername(), and provide the interface
on the server. Some do not. WRP/WGIC does.

WRP FAQ

What is WRP?

Winsock Redirection Protocol is a specification for Winsock request redirection. It enables client
computers to gain access to the Internet without proxies or a direct connection.

What is the WRP service?

Winsock Redirection Protocol Service is the server in WinGate that provides WRP access. Like an FTP
server provides FTP.

403
What is the WGIC?

The WinGate Internet Client is the service that lets your client computers use the WRP SERVICE on the
WinGate server. It is invisible, but configurable through its control panel icon.

What are the advantages of using WRP?

Firstly, it is very easy to use. No more client configuration is required; once installed, the WinGate client
does everything for you. WinGate configuration is simple too. Most people only need 5 services, instead
of about 15!

Second, WRP is fast. Once installed, there is no more time wasted getting applications working.

What are the disadvantages?

As all connections are made from the WinGate server, on the ports requested by the client application,
port conflicts may occur. See the section on Current compatibility.

Do I need to know lots about networking?

No. That is the bonus of the WinGate WRP Service. In fact you don't even need to know that it is
running. Once installed, the WinGate Internet Client will do all of the work for you.

How do I install WRP?

You must have the WRP Service installed on the WinGate server (it is an ordinary WinGate System
Service that is installed by default). Installing the WinGate Internet Client on client computers enables
them to use this service. To see how to install the WinGate Internet Client read the installation section of
this help file.

I have run the install, I can't see the WinGate Internet Client?

Don't worry, this is correct. The WGIC runs as a service similar to the way a mouse driver works: It's
always ready, but you can't see it. It requires no configuration, but there is an icon added to the control
panel.

Can I be sure my network is secure if I use WRP?

404
Yes. WRP Service is carefully designed to give you maximum security. The WRP Service will only
work for the computers on your own LAN. If you accidentally run a server on a client computer, it will
not be accessible to the Internet unless you explicitly allow this.

How do I configure WRP to block ALL applications except the ones I choose?

Using the ‘ban client application’ setting (added in version 3.05 and later) you can achieve this.

Try changing the WRP Policies to:

1. Default rights are ignored

2. Add "Everyone" with ban list "Not client application name is empty". These two entries ban all
applications for everyone. So:
3. Add "Everyone" with ban list "Not client application name equals X" (e.g. where X is
TELNET.EXE)
4. Add "Everyone" with ban list "Not client application name equals Y" (e.g. where Y is
NETSCAPE.EXE).

Now they can run the client with apps X and Y but no others. This provides centralized control over what
applications WRP will and will not re-direct.

However, this is not a completely bulletproof solution (which is why we've never pursued such a scheme).
Bear in mind that a rogue user can subvert this by changing the name of the .EXE you chose to ban (i.e.
you ban netscape.exe but allow telnet.exe. Renaming the netscape.exe file as telnet.exe allows the user to
evade this policy.

Is it easy to use?

Very easy. WRP is designed to run without any user intervention required.

Why should I use WRP?

WRP saves you time and money configuring your network. WRP is a godsend for network
administrators, as client applications now require no setup to use a firewall.

Will it work with my old applications?

Yes. The WRP client will allow any TCP or UDP application to run as if it was directly connected to the
Internet.

405
Is it forwards compatible?

Yes. WRP will allow any TCP or UDP application to run as if it was directly connected to the Internet.

How do I set up applications to use it?

You don't! WRP works without any application configuration. No more proxy settings, no more mapped
links or hosts files.

Can I have several versions of WinGate running?

Yes. Each WRP client can handle multiple WinGate engines on your network. The most appropriate
WinGate will be used. If one WinGate is too busy, the client will use another.

What is GDP?

Generic Discovery Protocol. This protocol is an IANA registered Internet standard, with an assigned
system port number: 368. GDP is used for finding or discovering Gateway computers on a network.

Is WRP a standard?

Yes. WRP uses GDP to discover WinGate installations. WRP is a protocol specification for Winsock
redirection. Both WRP and GDP specifications were created and developed by Qbik New Zealand Ltd.

Is WRP going to stick around, or is it just the latest fad?

WRP is designed to be an expandable protocol. Forward-version compatibility is built-in, with version

negotiation allowing different versions of the protocol to be used between client and server. Qbik is
committed to its development and support.

How compatible it is with my computers?

It is 100% compatible with any PC running Windows 95, 98, NT4, or higher.

What if I have Macintoshes on my network? What about other types of computers?

The WRP client is only available for Windows 95 98 and NT. Other PCs will have to use the WinGate
Proxies or NAT Service (NAT was introduced in WinGate 4.0).

406
Will the people on my network need training?

No. No training is required because WRP is transparent, the computer user does not need to know
anything about WRP or how they are getting Internet access.

Can I run multiple WRP Services on my network?

Yes. Each WRP client can handle multiple WinGate engines on your network. The most appropriate
WinGate server will be used. If one WinGate is busy, the client will use another (unless you specify
otherwise).

Will it work with Intranet servers?

Yes. WRP does not affect connections to computers on your own LAN.

What does this mean for Internet software authors?

WRP is good news. Proxy support is no longer required. All TCP and UDP client and server applications
will work. No firewall configuration will be needed to use the Internet.

407
Index
2
2000 ................................................................................................ 364, 365, 367, 368, 369
2000 users ...................................................................................................................... 362
A
About Qbik New Zealand Limited ................................................................................... 150
access ..................................................................................................................... 345, 346
accounting............................................................................................................... 332, 334
Actions in the Activity screen ............................................................................................ 47
add .................................................................................................................. 364, 368, 369
Add Event ......................................................................................................................... 88
Adding ............................................................................................................................. 123
Adding a client Reservation ............................................................................................ 167
Adding a FTP Server ...................................................................................................... 125
Adding a group................................................................................................................ 334
Adding a Mapped Link .................................................................................................... 127
Adding a POP3 Proxy ..................................................................................................... 124
Adding a Real Audio Proxy ............................................................................................. 130
Adding a scope ............................................................................................................... 164
Adding a SOCKS 5 Server.............................................................................................. 124
Adding a Telnet Proxy..................................................................................................... 125
Adding a User ................................................................................................................. 332
Adding Locations ............................................................................................................ 335
Adding Services ................................................................................................................ 69
Adding specific mappings ............................................................................................... 128
Adding users ................................................................................................................... 334
administrator ............................................................................................................. 41, 331
advanced........................................................................................................................... 85
Advanced Email Settings ................................................................................................ 249
Advanced FTP Settings .................................................................................................. 249
Advanced GateKeeper options ......................................................................................... 51
Advanced Options in WinGate Home ............................................................................. 391
Advanced POP3 usage................................................................................................... 112
Advanced Tab................................................................................................................. 353
Advanced WinGate Configuration .................................................................................. 215
Advanced WWW Settings............................................................................................... 248
alias
aliases
addresses ....................................................................................................................... 139
API .................................................................................................................................. 203
Appendix ......................................................................................................................... 176
Assigning DHCP Configuration Options ......................................................................... 168
Assigning rights............................................................................................................... 348
assume.................................................................................................................... 331, 336
assumed.......................................................................................................................... 330
assumptions .................................................................................................... 330, 335, 336
Auditing ........................................................................................................................... 341
Auditing and Logging ...................................................................................................... 340
authenticate .......................................................................................................... 63, 64, 65

408
authenticated .................................................................................................................. 330
authenticating.................................................................................................................. 366
authentication............................................................62, 63, 64, 65, 66, 364, 366, 367, 368
autosave............................................................................................................................ 85
B
Ban List Tab .................................................................................................................... 352
banning ........................................................................................................................... 352
binding............................................................................................................................. 203
Binding No Longer Available........................................................................................... 278
Binding Specified Invalid................................................................................................. 277
Bindings tab ...................................................................................................................... 72
blocking ........................................................................................................................... 352
bridge .............................................................................................................................. 292
bridging ........................................................................................................................... 291
browser ........................................................................................................................... 123
browsing.......................................................................................................................... 292
BSOD .............................................................................................................................. 203
buy .................................................................................................................................. 149
C
cable modem .................................................................................................................... 84
cache............................................................................................................................... 328
Cache Management........................................................................................................ 324
Cascade ............................................................................................................................ 77
Change Password............................................................................................................. 80
changes............................................................................................................................. 85
Changes made by WinGate Installation ......................................................................... 267
Changing Scope Properties ............................................................................................ 164
Changing to DHCP ......................................................................................................... 156
charging .......................................................................................................................... 340
Clean Install of WinGate ................................................................................................. 256
Clear History ................................................................................................................... 323
Client Denied Access to DHCP ...................................................................................... 285
Client or Server ............................................................................................................... 237
Common terms ................................................................................................................. 36
Comparing NAT
WGIC and Proxy Methods .............................................................................................. 377
comparison ....................................................................................................................... 28
Complete or Partial Service Failure On Startup.............................................................. 286
configuration ..................................................................................................................... 85
Configuration pane............................................................................................................ 57
Configuring Clients To Use NAT..................................................................................... 266
Configuring clients to use proxies ................................................................................... 266
Configuring clients to use WGIC..................................................................................... 270
configuring mail...............................................................132, 134, 136, 137, 138, 139, 142
Configuring TCP/IP for the Wingate server .................................................................... 254
Configuring TCP/IP on the Client computers.................................................................. 262
Confirmation options ......................................................................................................... 62
Connection tab.................................................................................................................. 77
connectiondatabase........................................................................ 362, 364, 366, 368, 369
Connectoid Deleted ........................................................................................................ 279
Contact information......................................................................................................... 149
controlling........................................................................................................................ 364
crypto .............................................................................................................................. 201

409
D
Default WinGate Configuration Used.............................................................................. 282
DHCP .............................................................................................. 154, 155, 159, 160, 164
DHCP Bindings tab ......................................................................................................... 161
DHCP Configurable options............................................................................................ 171
DHCP Configuration ....................................................................................................... 161
DHCP General tab .......................................................................................................... 160
DHCP Information........................................................................................................... 157
DHCP Mode .................................................................................................................... 161
DHCP Settings ................................................................................................................ 163
Dialer............................................................................................................................... 230
Dialer general tab............................................................................................................ 230
Dialer in WinGate Home ................................................................................................. 391
Dialer local sites tab........................................................................................................ 232
Dialer profile configuration .............................................................................................. 234
Dialer settings tab ........................................................................................................... 233
Dialing in WinGate .......................................................................................................... 230
differences ........................................................................................................................ 34
Direct Connection to the Internet .................................................................................... 253
disable............................................................................................................................. 159
Disabling the WinGate DNS Server ................................................................................ 126
Disabling WinGate DHCP ............................................................................................... 159
DNS................................................................................................................................. 126
DNS Options ................................................................................................................... 187
DNS Server ............................................................................................................. 121, 122
Do not use DHCP to configure clients ............................................................................ 264
Download WinGate Plugins ............................................................................................ 247
E
email................................. 69, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 395
Email options in the installer ........................................................................................... 241
Enable/Disable Extended Network Driver....................................................................... 304
Enable/Disable General Purpose Internet Sharing......................................................... 303
Enable/Disable Routing Between Multiple-Subnetworks................................................ 303
encryption ............................................................................................... 200, 201, 205, 206
ENS Driver Running out of Memory ............................................................................... 288
error................................................................................................................................. 340
Events ............................................................................................................................... 89
examples................................................................................................................. 344, 357
Excecute commandline..................................................................................................... 94
export .............................................................................................. 368, 370, 371, 372, 373
Export user accounts ........................................................................................................ 92
export users ............................................................................................................ 370, 372
exporting ......................................................................................................... 368, 372, 373
Express or Custom setup................................................................................................ 239
Extended Network Support ............................................................................................. 375
F
FAQ................................................................................................................. 145, 146, 403
features ..................................................................................................... 28, 29, 30, 31, 33
Features Added in WinGate 4 .......................................................................................... 26
Features Added in WinGate 4.1 ....................................................................................... 24
Features Added in WinGate 4.2 ....................................................................................... 23
Features Added in WinGate 4.3 ....................................................................................... 22
File Menu in WinGate Home........................................................................................... 388

410
filter ......................................................................................................................... 137, 138
filtering............................................................................................................................. 352
Firewall Modes ................................................................................................................ 303
first .................................................................................................................................... 41
FTP ................................................................................................................... 69, 395, 396
FTP Proxy ....................................................................................................................... 107
G
GateKeeper................................................................................................................. 40, 41
GateKeeper File menu...................................................................................................... 57
GateKeeper for WinGate Home...................................................................................... 386
GateKeeper Help menu .................................................................................................... 59
GateKeeper history screen ............................................................................................... 49
GateKeeper logon............................................................................................................. 43
GateKeeper offline ............................................................................................................ 41
GateKeeper online ............................................................................................................ 44
GateKeeper Options menu ............................................................................................... 59
GateKeeper View menu.................................................................................................... 58
Gateway ............................................................................................................................ 96
GDP ............................................................................................................................ 95, 96
General Purpose Internet Sharing .................................................................................. 375
General tab ....................................................................................................................... 70
Generic Discovery Protocol .............................................................................................. 96
Getting started .................................................................................................................. 20
Glossary .......................................................................................................................... 203
group ............................................................................................... 332, 365, 366, 368, 369
Groups .................................................................................................... 329, 330, 331, 334
Groups tab
Groups ............................................................................................................................ 337
guest ............................................................................................................................... 331
H
hacker ............................................................................................................................. 359
hackers............................................................................................................................ 359
help ............................................................................................................................. 39, 40
Help Menu in Wingate Home .......................................................................................... 390
History column picker........................................................................................................ 60
History in Wingate Home ................................................................................................ 388
History Plug-In
Traditional WinGate Logging .......................................................................................... 305
History Plug-In Components ........................................................................................... 304
home ....................................................................................................................... 148, 384
hosts files ........................................................................................................................ 223
How do I Buy................................................................................................................... 149
How NAT works .............................................................................................................. 382
How To Use WinGate Help............................................................................................. 151
html ......................................................................................................................... 101, 102
I
import ..............................................................................364, 368, 369, 370, 371, 372, 373
import users ............................................................................................................ 370, 372
importing .........................................................................364, 368, 369, 370, 371, 372, 373
Incorrect Version of NAT Driver ...................................................................................... 287
Information ...................................................................................................................... 145
Install the WinGate NAT Service .................................................................................... 240

411
Installation Overview....................................................................................................... 250
Installing TCP/IP on the Client computers ...................................................................... 261
Installing TCP/IP on the Wingate server......................................................................... 253
Installing WinSock 2................................................................................................ 236, 256
Integrating NAT With WGIC and WinGate Proxies ........................................................ 378
Integrating WinGate proxies with other servers.............................................................. 395
Integrating WinGate with a FTP Server .......................................................................... 398
Integrating WinGate with a Web server .......................................................................... 397
Integrating WinGate with an email server....................................................................... 397
Integrating WinGate with other servers .................................................................... 69, 395
interfaces........................................................................................................................... 85
Interfaces tab .............................................................................................................. 74, 75
InterQuick Plug-in Integration ......................................................................................... 131
intranet ............................................................................................................................ 101
Introduction ....................................................................................................................... 39
Invalid Binding For Service ............................................................................................. 278
Invalid License ................................................................................................................ 281
Invalid WinGate 2 License .............................................................................................. 282
IP Address .............................................................................................................. 198, 199
IP Number ....................................................................................................................... 198
K
key................................................................................................................................... 149
L
licence ............................................................................................................................. 148
license ..................................................................................................................... 148, 149
License Info..................................................................................................................... 237
License Selector ............................................................................................................. 238
licensing .......................................................................................................................... 147
lite.................................................................................................................................... 147
local sites ........................................................................................................................ 230
localhost .................................................................................................................. 199, 200
location............................................................................................................................ 329
Location assumptions ..................................................................................................... 335
Location Tab ................................................................................................................... 349
Locations......................................................................................................................... 335
log ..................................................................................................................................... 41
logging....................................................................................................................... 39, 341
Logging tab ....................................................................................................................... 79
logic................................................................................................................................. 328
Logic and Caching .......................................................................................................... 201
login............................................................................................................................. 63, 64
logon ......................................................................................................... 41, 63, 64, 65, 66
Logon and Online Options ................................................................................................ 80
M
mail....................................................69, 133, 134, 135, 136, 137, 139, 140, 141, 142, 396
Main/Basic services ........................................................................................................ 240
Managing ........................................................................................................................ 330
Managing client reservations .......................................................................................... 167
managing groups ............................................................................................................ 364
managing users .............................................................................................................. 364
Managing Users and Groups .......................................................................................... 330
Mapped link advanced features ...................................................................................... 117

412
Mapping Services - Mapped links................................................................................... 115
Migrating Settings From WinGate 2................................................................................ 282
modem ............................................................................................................................ 230
money ............................................................................................................................. 338
Multi segment Lans......................................................................................................... 191
Multi-Language Support.................................................................................................. 236
Must Set Administrator Password for Remote Access ................................................... 287
N
NAT ................................................................................................. 376, 377, 382, 383, 384
NAT Failed to Load ......................................................................................................... 288
NAT Refused to Load ..................................................................................................... 287
Netmask .......................................................................................................................... 199
Network Address Translation.................................................................................. 376, 382
Network Extensions - Firewall......................................................................................... 293
Network Extensions - Port Security ................................................................................ 294
Network Extensions for WinGate Home ......................................................................... 392
Network Interface Setup ................................................................................................... 84
network neighborhood .................................................................................................... 292
News IRC IMAP4 Settings .............................................................................................. 242
No Interface Specified for Binding .................................................................................. 277
No Private IP Interfaces Bound to Service ..................................................................... 284
No Valid Interfaces Available for Service........................................................................ 276
Non-Private IP Allocation Denied ................................................................................... 284
Non-Proxy-Request tab .................................................................................................... 77
Notes for WinSock application developers ..................................................................... 402
NT groups ....................................................................................................................... 362
NT users.......................................................................................................................... 362
O
online................................................................................................................................. 39
Online Security Threats .................................................................................................. 299
Options Menu in Wingate Home..................................................................................... 390
P
Packet ............................................................................................................. 197, 198, 200
password...................................................................................39, 330, 331, 366, 367, 368
policies ....................................................................329, 330, 344, 345, 346, 347, 357, 358
Policies Tab ...................................................................................................................... 76
pop3
smtp ................................................................................132, 134, 136, 137, 138, 139, 142
POP3 Proxy .................................................................................................................... 111
pop3 setup ......................................................................132, 134, 136, 137, 138, 139, 142
Port Assignments............................................................................................................ 177
Port Range Configuration ............................................................................................... 297
Ports................................................................................................................................ 186
private ............................................................................................................................... 85
Private IP......................................................................................................................... 199
pro ................................................................................................................................... 148
problem ........................................................................................................................... 340
protecting ........................................................................................................................ 352
Proxies .................................................................................................................... 394, 395
proxy ................................................................................................................. 68, 123, 124
public................................................................................................................................. 85
Purchasing ...................................................................................................................... 149

413
R
Real Audio Proxy ............................................................................................................ 110
Recipient Tab.................................................................................................................. 348
Recommended Network Configurations ......................................................................... 381
Release/Renew TCP/IP configurations .......................................................................... 269
Releasing and renewing a DHCP Lease ........................................................................ 170
Remote control service ................................................................................................... 122
Remote Control Service Does Not Exist......................................................................... 281
remove .............................................................................................. 68, 270, 365, 368, 369
Removing a scope .......................................................................................................... 166
Request tab..................................................................................................................... 353
Reset all user accounts..................................................................................................... 93
restricting......................................................................................................................... 352
restriction......................................................................................................................... 352
rights ............................................................................................... 344, 345, 346, 347, 358
Roll over audit/logs ........................................................................................................... 91
route ................................................................................................................................ 292
router................................................................................................................................. 84
routing ..................................................................................................................... 192, 292
rules ................................................................................328, 329, 345, 346, 357, 358, 359
S
save
saving................................................................................................................................ 85
Save History.................................................................................................................... 323
Scheduler .................................................................................................................... 86, 87
Scheduler Actions ............................................................................................................. 90
Scheduler logging ............................................................................................................. 87
screen ............................................................................................................................... 39
secure ............................................................................................................................... 62
Secure Interoffice Communications ................................................................................ 223
Securing your network .................................................................................................... 362
security............................. 62, 329, 330, 331, 344, 345, 346, 359, 360, 361, 362, 366, 367
Selecting installation directory ........................................................................................ 239
server ................................................................................................................ 68, 123, 124
service............................................................................................................................... 69
Service Pack ................................................................................................................... 253
Services .......................................................................................................................... 239
Services tab ...................................................................................................................... 54
serving html..................................................................................................................... 100
Sessions tab ..................................................................................................................... 75
smtp ................................................133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143
SMTP Proxy Service.......................................................133, 134, 136, 137, 138, 139, 142
smtp setup ......................................................................132, 134, 136, 137, 138, 139, 142
SOCKS............................................................................................................................ 124
SOCKS Advanced tab .................................................................................................... 105
SOCKS5 server .............................................................................................................. 104
spam ............................................................................................................... 137, 138, 142
spamming........................................................................................................................ 142
spam ....................................................................................................................... 138, 139
standard .......................................................................................................................... 148
Start Installation .............................................................................................................. 243
Starting DHCP ................................................................................................................ 158
Startup Options for WinGate Services ............................................................................ 323
STEP 1

414
Setting Up A Working Network ....................................................................................... 251
STEP 2
Setting up the Wingate server ........................................................................................ 251
STEP 3
Installing or upgrading WinGate ..................................................................................... 252
STEP 4
Setting up the Client computers...................................................................................... 260
Stopping DHCP............................................................................................................... 159
subnet ............................................................................................................................. 292
subnetwork...................................................................................................................... 291
Support............................................................................................................................ 149
System Info - Bindings Tab............................................................................................... 82
System Info - General Tab................................................................................................ 81
System Message Index................................................................................................... 274
System Message Options ............................................................................................... 273
System Messages................................................................................................... 272, 273
System tab .................................................................................................................. 51, 53
T
TCP UDP and IP............................................................................................................. 197
TCP/IP............................................................................................................. 197, 199, 200
TCP/IP and Network topics............................................................................................. 183
Technical......................................................................................................................... 149
Telnet Proxy.................................................................................................................... 109
Test TCP/IP .................................................................................................................... 267
text .................................................................................................. 368, 369, 370, 371, 372
text file............................................................................................. 368, 369, 370, 371, 372
The Log file viewer.......................................................................................................... 243
time ......................................................................................................................... 339, 340
Time Tab ......................................................................................................................... 351
tiraling.............................................................................................................................. 147
trial .................................................................................................................................. 148
Trojan Horse Story.......................................................................................................... 299
troubleshooting ......................................................................................................... 61, 291
tunnel ................................................................................................................................ 77
U
UDP................................................................................................................................. 200
Uninstalling WinGate
uninstall ........................................................................................................................... 270
unsolicited ............................................................................................................... 137, 138
upgrade ........................................................................................................................... 147
upgrading ........................................................................................................................ 147
Upgrading to WinGate .................................................................................................... 257
Use another DHCP server to configure your clients ....................................................... 264
Use WinGate DHCP server to configure clients ............................................................. 262
user . 62, 63, 64, 65, 66, 329, 330, 331, 332, 333, 334, 339, 340, 365, 366, 367, 368, 369,
370
User Account Does Not Exist ......................................................................................... 280
User Accounting.............................................................................................................. 338
User assumptions ........................................................................................................... 335
User Authentication with WinGate .................................................................................... 62
user database .........................................363, 364, 365, 366, 367, 368, 369, 371, 372, 373
User Database Integration with NT & 2000 .................................................................... 247
User Group Not Found.................................................................................................... 280

415
User info tab.................................................................................................................... 337
User Request Failed WinGate Authentication ................................................................ 286
users ....................................................................................................................... 330, 331
Users screen..................................................................................................................... 54
Using Proxy Auto Configuration...................................................................................... 183
Using the Web Server..................................................................................................... 100
V
VDOLive Proxy ............................................................................................................... 113
verify........................................................................................................................ 367, 368
version............................................................................................................................... 34
versions............................................................................................................................. 29
View Menu in Wingate Home ......................................................................................... 389
Viewing log and audit files .............................................................................................. 343
W
watch............................................................................................................................... 340
web.................................................................................................................................. 123
web server .............................................................................................................. 101, 102
web site ........................................................................................................................... 101
Welcome To WinGate..................................................................................................... 237
Welcome to WinGate by Qbik........................................................................................... 19
what................................................................................................................................... 34
What do I need to run WinGate? ...................................................................................... 38
What is a Firewall?.......................................................................................................... 298
What is WinGate Home? ................................................................................................ 385
What is WinGate? ............................................................................................................. 27
What to cache ................................................................................................................. 325
What to purge ................................................................................................................. 327
What's New in WinGate Home? ..................................................................................... 385
What's new?...................................................................................................................... 21
when........................................................................................................................ 342, 343
Why do I need DNS? ...................................................................................................... 188
Why Use WinGate NAT Connectivity? ........................................................................... 376
Windows.................................................................................................................. 368, 369
Windows 2000 ................................................................................................................ 362
Windows NT.................................................................................................................... 364
WinGate DHCP Can Not Offer Client IP Address........................................................... 286
WinGate Dialer Restarted ............................................................................................... 283
WinGate Engine Monitor............................................................................................. 83, 84
WinGate Enhanced Networking...................................................................................... 289
WinGate Failed to Initialize ICMP ................................................................................... 283
WinGate Failed To Initialize SNMP ................................................................................ 283
WinGate FAQ.......................................................................................................... 145, 146
WinGate Home ............................................................................................................... 384
WinGate Policies............................................................................................................. 344
WinGate Pro License Key Does Not Exist...................................................................... 279
WinGate Services ............................................................................................................. 67
WinGate Tested Software............................................................................................... 146
WinGate Version differences ............................................................................................ 34
Winsock Redirection Protocol service ............................................................................ 399
Winsock Redirector Service.............................................................................................. 96
WRP................................................................................................ 403, 404, 405, 406, 407
WRP Application Modes ................................................................................................. 401
WRP Compatibility .......................................................................................................... 401

416
WRP FAQ ....................................................................................................................... 403
WWW ........................................................................................................ 70, 123, 124, 396
WWW Cache Settings .................................................................................................... 242
WWW Proxy Server .......................................................................................................... 99
www server ..................................................................................................................... 100
X
Xing Streamworks Proxy................................................................................................. 114
Y
Year 2000 Compliant ...................................................................................................... 152

417