Transparent proxying is where connections made through WinGate on specified ports, are intercepted by a proxy server in WinGate.
This provides several benefits:
Several of WinGate's proxy services support transparent proxying: The WWW Proxy, SMTP and POP3 servers and proxies, and FTP proxy all support interception of connections in this way. Multiple ports may be intercepted by any of these proxies.
- The client applications (e.g. web browsers, or email clients), do not need to know about the existence of the proxy server, so there are no per-application setup requirements on your client machines. Clients are simply configured to use WinGate as their default gateway (standard NAT configuration), or use the WinGate Internet Client or SOCKS protocol.
- The benefits of the proxy server in terms of access control, policy enforcement, logging and auditing, and performance benefits (e.g. HTTP caching) come into play.
- Users cannot circumvent policy by avoiding going through the WinGate proxies, since the proxy intercepts the traffic outside of the user's control.
Connections are intercepted whether they are made by NAT, through the SOCKS service, or the WRP service. This means all traffic of a type may be forced through the application proxy, where the administrator then has the maximum control, and ability to specify policy in a single location.
Back to top
Multiple simultaneous internet connections
You can use multiple Internet connections at the same time with WinGate, thereby increasing your system throughput. On a per-proxy basis in WinGate, you can specify multiple methods of using these multiple connections as well.
for instance you could:
WinGate monitors connections for availability, including remote gateways, so even if your Internet connections go through another router or a device such as a DSL/NAT device, you can still keep track of it.
- Specify that the WWW Proxy uses all your available internet connections
- Specify that another proxy uses only one of the connections, but if that becomes unavailable, to fail over to the next one
WinGate's gateway selection features also allows you to specify on a per service basis which gateway will be used, so if you had a combination of multiple DSL/NAT devices, network gateways, modems, etc, you could still specify which connections go through which gateway, even if they are on the same physical ethernet segment.
Back to top
The WinGate Internet Client is a piece of client software that may be installed on client computers on your LAN to provide enhanced access to the Internet through WinGate.
WinGate Internet Client
The client is installed into the windows sockets system which is used by applications such as browsers and email clients to access network services (i.e. make connections to servers, send and receive data etc). By hooking into this system, the WinGate Client is able to redirect connections and data transfers through WinGate's Winsock Redirection Service out onto the Internet.
This makes the client computer appear to be directly connected to the Internet, and means that client applications do not need to be configured to use a proxy server.
Network Address Translation is also a way of gaining internet connectivity for client machines without having to configure client software to use proxies, or install any software. However the WinGate Internet Client has some extra features and other advantages including:
- The WinGate Internet Client also handles user authentication, independently of internet applications the user may be running.
- In many cases client software thinks its IP address is the external IP address of the gateway, so when running an application that transmits this IP address, it will often transmit the external IP address of the gateway. also if the application chooses to listen on a port, this is also redirected to WinGate. This allows several applications to run using the WinGate client which otherwise will not work through a normal NAT system.
- Information is gathered about the application that is running - this becomes visible in GateKeeper, and can be used in policies to block applications from running on client computers.
Back to top
NAT stands for Network Address Translation. This system is used to enable machines behind a gateway which use private IP addresses, to access the Internet (which uses public IP addresses).
Network Address Translation (NAT)
This works on a packet-by-packet basis. The NAT system receives packets from clients on the local network destined for the Internet. It changes the packets, by replacing the source IP address in the packet with the external IP address of the NAT system. This allows the server on the internet to send packets back. Packets received on external interfaces (i.e. from the Internet) are examined to determine whether they belong to any known connection between a client computer on the LAN and a machine on the Internet. If so, the packet addresses are translated back, and the packet is forwarded on to the client.
This allows two way communications between the clients on the network, and machines on the Internet.
There are several points to note about NAT systems:
- They typically do not provide much analysis of data content, since the packets are at a low level, any one packet does not normally provide a lot of information on which to base analysis, and the accumulation of data that would be required to fully analyse data could likely create vulnerabilities for systems. Things like requiring authentication are therefore very difficult.
- Because the amount of work required to translate packet addresses is small, the performance is typically very good.
- The configuration required for local network clients is small normally
Back to top
Support for servers behind firewall
WinGate supports several ways to allow access to servers on your LAN from the Internet. These are:
TCP mapping proxies
Server request handling
The simplest method is the first one, redirecting using the ENS (shown in screen shot). With this option, you also have the option to not translate source IP - this means that the server on your LAN can learn the original IP address of the client on the Internet connecting to it.
- Redirect the port for incoming connections to your LAN-based server using the ENS
- Create a TCP or UDP mapping proxy to accept connections, and connect through to your LAN-based server
- On some proxies in WinGate, the non-proxy request configuration allows you to specify an internal server to forward requests to
The second method was the original method introduced in WinGate 1.0 in 1995, and is retained for compatibility. Because it is effectively using a proxy server, it has more control over policy than the above ENS-based method.
The third method is also an old one, however because the forwarding is handled by a proxy specific to the protocol being used, it has the most flexibility in terms of access control. For instance, if you use the WWW Proxy to forward inbound connections to an internal web server, you can also enforce authentication, or special policies.
Back to top
Because of the architecture of WinGate, it is to a large extent network-hardware-independent. This means that it supports most types of network connection that is supported by the operating system.
Support for multiple connection types
WinGate proxies will work with any interface that has an IP address, this means any connection. The WinGate ENS driver supports any NDIS-based miniport, and NDISWAN connection.
Furthermore, WinGate's dial on demand capabilities allows it to control any dialup connection that is accessible through Windows dialup networking. Custom support for AOL dialup, and Hughes DirecWay (formerly DirecPC) satellite connections is also included.
Back to top
WinGate contains a dialer manager, that can access and control all dial up connections on the PC, be they through a traditional dial up to an ISP, an ADSL modem, or even AOL, as well as multiple instances of each.
Dial on demand
WinGate can be configured so that if you have one ADSL connection and one dial up modem, it will attempt to use the ADSL first, and should that not succeed, then WinGate will fail over to the dial up connection, so that your users can always access the internet when needed.
You can also configure and assign access rights to each dial up connection profile in WinGate. In this way you can support multiple dialup accounts, and restrict access to each of those profiles.
Back to top