LinkExchange Network
You are here: HOME > TECH INDEX > CYBERDATE 08.06.1998
TECH NOLOGIES
NIQUES
LAROKE Top
Site Map

Log Index
Previous Log Entry
Next Log Entry

INVESTIGATIONS

Konsultant's Log, Cyberdate 08.06.1998 WinGate - A Proxy Server / Firewall for Everyman

GLOSSARY:
  • SITREP
    Situation Report
  • INTREP
    Intelligence Report
  • CM
    Configuration Management
  • SUPINTREP
    Supplementary Intelligence Report
  • MISREP
    Mission Report
RELATED READING:
 
Other Sources:

How to secure your WinGate installation from abuse There has been increasing amounts of press and publicity concerning unauthorized use of proxy/firewalls to perform illicit activities which may be attributable to a firewall user. A number of these instances have involved the use of WinGate. This page is an information source to tell users of the issues, and how they can defend themselves against abuse of their systems.

The WinGate Help Desk The WinGate Help Desk outlines a number of resources to help you learn more about WinGate, troubleshoot problems, etc.

COMPANIES:

Alt-N Software MDaemon SMPT / POP3 Server for Windows 95 and Windows NT

Microsoft Corporation Windows 95, Windows NT

Qbik New Zealand Ltd. WinGate v2.1 Internet proxy server / fire wall software

Rhino Software, Inc. FTP Voyager software

======================================

SITREP: Until this summer the company I work for had little need to access the Internet on a regular basis. Whenever the occasional e-mail or Web search was required, I would perform it from my main workstation, "Hal", over our one Dial-Up modem connection (a single telephone line that bypasses the company PBX telephone system).

We are a commercial architectural firm. Most of our work is in the State of Florida. This year we have several "mixed-use complex" projects out-of-state, however. Members of the project teams are in several states including North Carolina, South Carolina and Ohio. CAD drawings and other electronic documents are transferred via e-mail on a daily basis between team members. This level of coordination would have been very difficult and too expensive for a firm of our size ten years ago.

After awhile, this document traffic began to bottleneck at Hal. Taking care of all this e-mail was becoming another one of my many "full-time" jobs. One of the nice effects of convergence in the modern techological world, is that by the time a problem starts to affect a small business, there is usually a small business solution at hand.

The Problem: Everyone in the company needed occasional Internet access

"Occasional" is the key word here. Our needs did not justify the expense or the security problems of a telephone line and modem at every workstation. A continuous leased line Internet connection was not an option either.

The Solution: A "gateway" PC that would act as a communications server to the other machines on the company's network

WinGate Proxy Server / Fire Wall software turned out to be the solution to our particular problem.

INTREP: WinGate was the solution for many reasons. The three most important features of WinGate for our company were: its ability to auto-dial the ISP with the modem on the WinGate host PC when a request is initiated from any machine on the network, the ability of the WinGate host machine to work under Windows 95, and the ability of all computers on the network to use the same ISP account.

These features only scratch the surface of WinGate's capabilities, and there is a steep learning curve for those who want to fully optimize WinGate. The reason the learning curve is steep has nothing to do with WinGate. It's the nature of the technology. If you already have an understanding of how Internet proxy servers and firewalls work, WinGate configuration is a breeze.

Even if you are a neophyte (as I am), the excellent tutorials, help files and support forums at the WinGate site can get you started with a minimum of head-scratching in most cases.

CM: What follows is a step-by-step account of how a basic WinGate installation was set up for our network.

Step 1: Prep the WinGate host machine

Even though WinGate does not require the computer it is installed on to be dedicated to the task of running WinGate, I had decided some time back to reconfigure our previous file server "Old Blue" as a communications server. The story of that transformation up to the point of the WinGate installation is covered by the "In the Trenches" log entries "Old Blue becomes the Old Guard" Parts I, II, and III.

I had downloaded the trial version of WinGate (version 2.1b) for Windows 95, a 1.6Mb file called "wg21b95.exe". I also downloaded "wgsetup.zip", a 62Kb compressed file which contained the "wgsetup.doc" and "wgsetup.hlp" files.

I had difficulty opening up and reading the "wgsetup.doc" file. I don't have Microsoft Word handy and tried the "Write" applet that comes with Windows 95. The file opened in Write but was "gobbletly-goop". I also tried to open it in WordPerfect 7. WordPerfect informed me that the file "did not exist". I gave up.

"wgsetup.hlp" turned out to be a Windows Help file and it opened without problems. It is a short concise help file of twelve screens. The opening screen recommends reading the entire help file first, and I did.

I wanted to use the full capabilities of WinGate, so I went back to the WinGate Web site and applied for a trial registration number. The registration number arrived shortly via e-mail and I was ready to install Wingate.

Step 2: Install TCP/IP on the WinGate host machine

I had installed the TCP/IP networking protocol previously when configuring Old Blue to work with the company intranet and the modem (I already had a DUN "connectoid" set up for my local ISP).

Step 3: Setup TCP/IP on the WinGate host machine

Once again, TCP/IP had already been setup previously. At this point all I had to do was make some minor adjustments. The most important thing here was setting the IP address for the WinGate machine to a special "reserved" address. I had performed this tedious chore back when setting up "Johnny Mnemonic" as the company's new intranet web server (See In the Trenches Cyberdate 05.28.1998 "Building Johnny Mnemonic Part III"). This process is only tedious when you have to do it on several machines. When you make a change in the Windows 95 Network Dialog, Windows tends to want to reinstall drivers and then wants to reboot . . . This is one Wizard that could use some work (the reboot is understandable for a network setting, but why do the drivers have to be reinstalled?)

The Help file suggests using "192.168.0.1" as the IP address for the WinGate host machine. I used a number based on a company computer system number. Every time a new PC goes online here, it gets the next available system number. When a computer is retired to the salvage yard, its system number is also retired. Old Blue has been with us a long time (1986), but he was not our first PC. The honorable name of "System 1" belongs to an ancient Apple II Plus clone. To keep this explanation from getting too convoluted, however, we'll say that Old Blue is assigned the IP address 192.168.0.1 as recommended in the Help file.

Under the "IP Address" Tab of the "TCP/IP Properties" Dialog where we enter "192.168.0.1" as the IP Address is another similar field labeled "Subnet Mask". I had left this field empty when first configuring TCP/IP for the company intranet. The Help file states that "255.255.255.0" should be entered in this field, and I complied.

The help file instructs you to leave most of the other Tabs with the default settings with the exception of the "DNS Configuration" Tab where you enter data specific to your ISP. When all the settings have been adjusted, the computer is restarted.

Step 4: Install TCP/IP on the Client machines

I had previously performed this step for all the computers on our company network when I set up the intranet. Basically, you go to the Windows "Network" Dialog and add Microsoft's "TCP/IP" protocol.

Step 5: Set up TCP/IP on the Client machines

Under the "IP Address" Tab of the "TCP/IP Properties" Dialog each Client PC gets a unique private IP Address setting (where the first three numbers are the same as the host (the first Client PC could be "192.168.0.2". The next Client could be "192.168.0.3", etc.). All the Client PCs get the same Subnet Mask setting of "255.255.255.0". All our machines were already set up with the exception of the Subnet Mask.

The "WINS Resolution" Option under the "WINS Configuration" Tab is set to the "Disabled" state and the other settings are left alone.

The Help file states that the WinGate utility will set up the "DNS Configuration" for the Client machines, but for some reason I could not get this feature to work. It was easy enough to configure manually. You "Enable DNS", enter the network name for the PC in the "Host" Field, and add the WinGate Host computer's private IP Address in the "DNS Server Search Order" list ("192.168.0.1" in our example).

Step 6: Install WinGate

Back to the host machine "Old Blue". The installation file I had downloaded from the WinGate Web site was copied to a temporary directory on Old Blue, then run from Windows Explorer after shutting down all other programs. I instructed the installation wizard to make the WinGate directory "D:\WINGATE" rather than the default "C:\PROGRAM FILES\WINGATE". All other defaults were accepted.

The WinGate application installs as a "Service". It starts up when Windows starts and runs in the background. It is accessed for configuration by a separate utility called "GateKeeper". GateKeeper can be installed on, and run from, other machines on the network to remotely control the WinGate host, if desired. I decided to install GateKeeper on Old Blue only, since he sits in the Krash Lab and is under my direct supervision. Remote control would make sense if Old Blue was in a service closet somewhere and it's nice to have the flexiblity if I need it in the future.

The WinGate installation was accomplished in a few minutes. Old Blue was restarted and I moved on to "4-Bits", the first Client PC.

Step 7: Configure the Client machines

As directed by the Help file, I copied the files "wg2util.exe" and "wg2auto.ini" to a newly-made "C:\WINGATE" directory on 4-Bits. I started the utility and followed the prompts to set up the Internet Explorer browser on 4-Bits to connect to the Internet through WinGate

The browser on 4-Bits is Microsoft Internet Explorer v3.02 and the WinGate utilty sucessfully configured it for use with WinGate as far as I could tell, but it would not work properly. Some sleuthing revealed that the utility had not setup the "DNS Configuration" as indicated in Step 5 above. It also did not set up a "hosts" file (see below) even though I had checkmarked the box that told it to do so. Maybe I did something wrong or did not understand the Help file. Maybe it was a problem with 4-Bits. It is not difficult to take care of these two items manually and that is what I did.

The "hosts" file is a sort of "phone book" for local IP addresses and host names. In Windows 95, it is "C:\WINDOWS\HOSTS." and in Windows NT it is "C:\WINNT\SYSTEM32\DRIVERS\ETC\HOSTS.". Note that the file is an ordinary text file, but that it does not have an extension.

You see, the utility set up the browser to connect through a proxy called "wingate". That's fine but the browser doesn't know wingate from Adam, and that's where the hosts file comes in.

The browser "looks" in the hosts file for an entry called wingate and finds "192.168.0.1 wingate" which tells the browser that the proxy server host is at the 192.168.0.1 IP address.

The hosts file is a simple ASCII text file that can have many entries and be edited with "Notepad.exe". Just a couple of things to remember. Each entry begins with an IP address, followed by a host name with at least one space between them. There has to be a carrage return after the host name. If you create a hosts file instead of editing an existing one, you have to use a little trick in the "Save as" dialog to keep Notepad from putting the "TXT" extension on the end of the hosts file. In the Save as dialog, type "hosts." including the quote marks and the period to force Notepad to leave off the "TXT" extension.

I only had to create one hosts file. From then on when I set up a new client PC, I just copied the hosts file from 4-Bits to the proper subdirectory on the new client PC.

Step 8: Test TCP/IP

Time to determine if the Client PC can "see" the WinGate host. This is accomplished by "pinging" the host machine. A ping TCP/IP utility comes with Windows. I opened a MS-DOS window on 4-Bits and typed "PING wingate" at the DOS prompt as directed by the Help file. Hurrah! I got the proper response in return.

Step 9: Log on to GateKeeper

Back to Old Blue. The first time you start GateKeeper you are led through the process of setting up the "Administrator" password. It is fairly straightforward.

Step 10: Set up dialing

Following the Help file instructions, I opened up the "WinGate Dialer Properties" Dialog from within GateKeeper. I set up a "Phonebook" entry for my ISP as directed. I was done!

Step 11: We have contact!

I went back to 4-Bits and opened up the Explorer Browser. I typed "www.laroke.com" into the Address Field and pressed the "Enter" key. A split-second later, I could hear the SupraExpress modem on Old Blue dialing out. A few seconds after that, The LAROKE home page appeared in the Explorer browser window on 4-Bits! It works!

SUPINTREP: There was still a lot of fine-tuning and configuration yet to be done, but I had a basic WinGate setup with Internet Web browsing capability from one Client PC in working order. I still had to refine the WinGate configuration and add services (e-mail, ftp, and others). I had to configure several more Client PCs. I had to refine security and study WinGate in operation over time.

Those are the basics. I have barely gotten started here. Between the time when I first installed WinGate and the preparation of this essay, I have added America OnLine capabilities for two users, configured security options, set up MDaemon e-mail server software to work through WinGate and Voyager FTP to update this site.

MISREP: I highly recommend WinGate. About a week before my trial evaluation was due to run out, I purchased a five-user Pro license for our company installation. I consider it money well spent. I am happy and that is rare for me in the world of Windows software.

I have had a few glitches, but with the help of the support forums and maillist at the WinGate Web site, I have worked most of them out. There are a few persistant problems with the setup on Old Blue, but I don't think WinGate is the cause at this stage of the investigation. If WinGate turns out to be the culprit, however, I'll still be happy. I like it that much.


======================================

LAROKE Top
Site Map

Log Index
Previous Log Entry
Next Log Entry

LAROKE Microcomputer Consultants
155 East Boca Raton Road
Boca Raton, Florida 33432
(561)368-0659 (Tel & Fax)

Issued Thursday August 6, 1998

copyright © 1996-1998 LAROKE Microcomputer Consultants all rights reserved