LOG IN |  Register | 0 item(s) in your shopping cart, USD
Download and try the latest WinGate 9 free for 30 days.


Transparent proxying

Transparent proxying is the interception of connections by a proxy.  This allows you to enforce a single policy on all traffic of a certain type, regardless of whether your users are configured to connect to a proxy, bypass proxy by using Network Address Translation (NAT), or whether they are using WinGate's SOCKS server or the WinGate Internet Client. Transparent proxying
Transparent proxying is where connections made through WinGate on specified ports, are intercepted by a proxy server in WinGate.

This provides several benefits:

  • The client applications (e.g. web browsers, or email clients), do not need to know about the existence of the proxy server, so there are no per-application setup requirements on your client machines. Clients are simply configured to use WinGate as their default gateway (standard NAT configuration), or use the WinGate Internet Client or SOCKS protocol.
  • The benefits of the proxy server in terms of access control, policy enforcement, logging and auditing, and performance benefits (e.g. HTTP caching) come into play.
  • Users cannot circumvent policy by avoiding going through the WinGate proxies, since the proxy intercepts the traffic outside of the user's control.
Several of WinGate's proxy services support transparent proxying: The WWW Proxy, SMTP and POP3 servers and proxies, and FTP proxy all support interception of connections in this way. Multiple ports may be intercepted by any of these proxies.

Connections are intercepted whether they are made by NAT, through the SOCKS service, or the WRP service. This means all traffic of a type may be forced through the application proxy, where the administrator then has the maximum control, and ability to specify policy in a single location.
Back to top

Multiple simultaneous internet connections

WinGate can bypass system routing when it makes outbound connections.  This allows you to define which available internet gateways will be used on a per-service basis, and the way that multiple connections can be used (e.g. failover, or round-robin for bandwidth aggregation).  WinGate monitors gateway availability (if enabled), and automatically applies the policies you define to the list of available gateways to select which gateway to use on a connection-by-connection basis. Gateway usage
You can use multiple Internet connections at the same time with WinGate, thereby increasing your system throughput. On a per-proxy basis in WinGate, you can specify multiple methods of using these multiple connections as well.

for instance you could:

  • Specify that the WWW Proxy uses all your available internet connections
  • Specify that another proxy uses only one of the connections, but if that becomes unavailable, to fail over to the next one
WinGate monitors connections for availability, including remote gateways, so even if your Internet connections go through another router or a device such as a DSL/NAT device, you can still keep track of it.

WinGate's gateway selection features also allows you to specify on a per service basis which gateway will be used, so if you had a combination of multiple DSL/NAT devices, network gateways, modems, etc, you could still specify which connections go through which gateway, even if they are on the same physical ethernet segment.
Back to top

WinGate Internet Client

The WinGate Internet Client is a piece of client software that may be installed on client computers on your LAN to provide enhanced access to the Internet through WinGate.

The client is installed into the windows sockets system which is used by applications such as browsers and email clients to access network services (i.e. make connections to servers, send and receive data etc). By hooking into this system, the WinGate Client is able to redirect connections and data transfers through WinGate's Winsock Redirection Service out onto the Internet.

This makes the client computer appear to be directly connected to the Internet, and means that client applications do not need to be configured to use a proxy server.

Network Address Translation is also a way of gaining internet connectivity for client machines without having to configure client software to use proxies, or install any software. However the WinGate Internet Client has some extra features and other advantages including:

  • The WinGate Internet Client also handles user authentication, independently of internet applications the user may be running.
  • In many cases client software thinks its IP address is the external IP address of the gateway, so when running an application that transmits this IP address, it will often transmit the external IP address of the gateway. also if the application chooses to listen on a port, this is also redirected to WinGate. This allows several applications to run using the WinGate client which otherwise will not work through a normal NAT system.
  • Information is gathered about the application that is running - this becomes visible in GateKeeper, and can be used in policies to block applications from running on client computers.

Back to top

Network Address Translation (NAT)

NAT stands for Network Address Translation. This system is used to enable machines behind a gateway which use private IP addresses, to access the Internet (which uses public IP addresses).

This works on a packet-by-packet basis. The NAT system receives packets from clients on the local network destined for the Internet. It changes the packets, by replacing the source IP address in the packet with the external IP address of the NAT system. This allows the server on the internet to send packets back. Packets received on external interfaces (i.e. from the Internet) are examined to determine whether they belong to any known connection between a client computer on the LAN and a machine on the Internet. If so, the packet addresses are translated back, and the packet is forwarded on to the client.

This allows two way communications between the clients on the network, and machines on the Internet.

There are several points to note about NAT systems:

  • They typically do not provide much analysis of data content, since the packets are at a low level, any one packet does not normally provide a lot of information on which to base analysis, and the accumulation of data that would be required to fully analyse data could likely create vulnerabilities for systems. Things like requiring authentication are therefore very difficult.
  • Because the amount of work required to translate packet addresses is small, the performance is typically very good.
  • The configuration required for local network clients is small normally

Back to top

Support for servers behind firewall

WinGate can redirect incoming connections on a given range of ports to a predetermined internal (or external) host.  WinGate allows you to override the port number as well.  A variety of other security-related options are also available. Port redirection
Similar to port redirection, but running as a proxy, the TCP and UDP mapping proxies allow you to map incoming connections through to pre-determined locations.  The mapping proxies also allow you to specify per-user mappings, and also mappings that depend which dialup connection you are currently connected to. TCP mapping proxies
Normally a proxy request made by a client contains information about the end-server that the proxy must connect to.  Requests that are typically made to a server do not contain this information, and are called Server Requests.  WinGate can handle server requests in a variety of ways, including blocking it, or piping it through to a predetermined server.  This can be used to host a WWW server behind your firewall, and still apply proxy rules to requests made to it from the Internet. Server request handling
WinGate supports several ways to allow access to servers on your LAN from the Internet. These are:
  • Redirect the port for incoming connections to your LAN-based server using the ENS
  • Create a TCP or UDP mapping proxy to accept connections, and connect through to your LAN-based server
  • On some proxies in WinGate, the non-proxy request configuration allows you to specify an internal server to forward requests to
The simplest method is the first one, redirecting using the ENS (shown in screen shot). With this option, you also have the option to not translate source IP - this means that the server on your LAN can learn the original IP address of the client on the Internet connecting to it.

The second method was the original method introduced in WinGate 1.0 in 1995, and is retained for compatibility. Because it is effectively using a proxy server, it has more control over policy than the above ENS-based method.

The third method is also an old one, however because the forwarding is handled by a proxy specific to the protocol being used, it has the most flexibility in terms of access control. For instance, if you use the WWW Proxy to forward inbound connections to an internal web server, you can also enforce authentication, or special policies.
Back to top

Support for multiple connection types

Because of the architecture of WinGate, it is to a large extent network-hardware-independent. This means that it supports most types of network connection that is supported by the operating system.

WinGate proxies will work with any interface that has an IP address, this means any connection. The WinGate ENS driver supports any NDIS-based miniport, and NDISWAN connection.

Furthermore, WinGate's dial on demand capabilities allows it to control any dialup connection that is accessible through Windows dialup networking. Custom support for AOL dialup, and Hughes DirecWay (formerly DirecPC) satellite connections is also included.
Back to top

Dial on demand

WinGate contains a dialer manager, that can access and control all dial up connections on the PC, be they through a traditional dial up to an ISP, an ADSL modem, or even AOL, as well as multiple instances of each.

WinGate can be configured so that if you have one ADSL connection and one dial up modem, it will attempt to use the ADSL first, and should that not succeed, then WinGate will fail over to the dial up connection, so that your users can always access the internet when needed.

You can also configure and assign access rights to each dial up connection profile in WinGate. In this way you can support multiple dialup accounts, and restrict access to each of those profiles.
Back to top