Wingate Proxy and Firewall Server

QUICK LINKS

• Introduction
• Features
• Features - Connectivity
• Features - Administration
• Features - Performance
• Features - Email
• Features - Access Control
• Features - Security
• Features - Reliability
• Requirements
• Download
• Buy Now

Introduction

WinGate Proxy Server is designed to meet the connectivity, control, security and email needs of today’s Internet-connected businesses. WinGate Proxy Server takes the angst out of getting your network connected to the Internet, and making sure it is protected when you get there.

Network Address Translation (NAT), multiple protocol Proxy Servers and circuit-level proxies provide connectivity and fine-level access control. DHCP, Automatic proxy configuration, and integration with your Active Directory makes administration simple. A full-featured email server provides all your email requirements. Add to all this support for content filtering and antivirus scanning with two great WinGate plugins, and you have all you need to control Internet usage, and provide quick and secure access for whatever your business requires.

WinGate Internet Gateway and Communications Server

WinGate is a sophisticated integrated Internet gateway and communications server designed to meet the control, security and communications needs of today’s Internet-connected businesses.

WinGate’s comprehensive range of license options provides you the flexibility to choose the features and capabilities that best match your needs and budget, whether you need to manage an enterprise, small business, or home network.

Key Functions

WinGate allows you to:

• Provide secure and managed Internet access for your entire network via a single or multiple shared internet connections
• Enforce advanced and flexible access-control and acceptable use policies
• Monitor usage in real time, and maintain per-user and per-service audit logs.
• Stop viruses, spam and inappropriate content from entering your network
• Provide comprehensive internet and intranet email services.
• Protect your servers from internal or external threats.
• Improve network performance and responsiveness with web and DNS caching
• Ease administration burdens on your internal networks.

Key Benefits

Using WinGate to actively manage the use of your Internet and network resources can provide many benefits, including:

• Improved Employee productivity
• Minimised time and resources required to maintain network integrity
• Reduced Employer liabilities
• Improved efficiency, responsiveness and reliability of network access

Easy Internet Sharing

WinGate will share most types of Internet connections effortlessly, allowing multiple users to simultaneously surf the web, retrieve their email, or chat with online messaging, as if they were directly connected to the Internet. Whether it is a simple dialup modem or hi tech broadband solution, WinGate can help to make the most out of the connection. WinGate will handle requests from a wide variety of Web applications and Internet protocols, such as Web browsers, Messaging software, FTP and SSL. WinGate also supports DirectPlay Internet games and Real Time Streaming Audio/Video.

Control Internet Access

With WinGate's user database and policies, parents and administrators alike can limit and control users access to the web. Logging, auditing, and a real time activity and history viewer - detailed records of user activities can be easily examined. This makes WinGate an ideal choice for Internet cafes and network administrators who work in environments where Internet access needs to be monitored closely.

Built-in Security

WinGate comes complete with a built in firewall to ensure that each Internet connection is kept safe from attacks by hackers and intruders from the Internet. Your network safety can be further enhanced with optional plug-in components, available seperately, which will scan incoming data for viruses, or filter out inappropriate content. This gives peace of mind to both parents and network administrators, so that you can be sure that your family or co-workers are using the Internet appropriately.

Features

WinGate has a comprehensive array of features outlined below. They fall into 7 main categories. There are too many features to list below, for a full set, see the help documentation, which is available as a separate download from the download link above. Items in blue have further information available.

Features - Connectivity

Features related to providing Internet connectivity

Multiple simultaneous internet connections

You can use multiple Internet connections at the same time with WinGate, thereby increasing your system throughput. On a per-proxy basis in WinGate, you can specify multiple methods of using these multiple connections as well.

for instance you could:

• Specify that the WWW Proxy uses all your available internet connections
• Specify that another proxy uses only one of the connections, but if that becomes unavailable, to fail over to the next one

WinGate's gateway selection features also allows you to specify on a per service basis which gateway will be used, so if you had a combination of multiple DSL/NAT devices, network gateways, modems, etc, you could still specify which connections go through which gateway, even if they are on the same physical ethernet segment.

WinGate Internet Client

The WinGate Internet Client is a piece of client software that may be installed on client computers on your LAN to provide enhanced access to the Internet through WinGate.

The client is installed into the windows sockets system which is used by applications such as browsers and email clients to access network services (i.e. make connections to servers, send and receive data etc). By hooking into this system, the WinGate Client is able to redirect connections and data transfers through WinGate's Winsock Redirection Service out onto the Internet.

This makes the client computer appear to be directly connected to the Internet, and means that client applications do not need to be configured to use a proxy server.

Network Address Translation is also a way of gaining internet connectivity for client machines without having to configure client software to use proxies, or install any software. However the WinGate Internet Client has some extra features and other advantages including:

• The WinGate Internet Client also handles user authentication, independently of internet applications the user may be running.
• In many cases client software thinks its IP address is the external IP address of the gateway, so when running an application that transmits this IP address, it will often transmit the external IP address of the gateway. also if the application chooses to listen on a port, this is also redirected to WinGate. This allows several applications to run using the WinGate client which otherwise will not work through a normal NAT system.
• Information is gathered about the application that is running - this becomes visible in GateKeeper, and can be used in policies to block applications from running on client computers.

Network Address Translation (NAT)

NAT stands for Network Address Translation. This system is used to enable machines behind a gateway which use private IP addresses, to access the Internet (which uses public IP addresses).

This works on a packet-by-packet basis. The NAT system receives packets from clients on the local network destined for the Internet. It changes the packets, by replacing the source IP address in the packet with the external IP address of the NAT system. This allows the server on the internet to send packets back. Packets received on external interfaces (i.e. from the Internet) are examined to determine whether they belong to any known connection between a client computer on the LAN and a machine on the Internet. If so, the packet addresses are translated back, and the packet is forwarded on to the client.

This allows two way communications between the clients on the network, and machines on the Internet.

There are several points to note about NAT systems:

• They typically do not provide much analysis of data content, since the packets are at a low level, any one packet does not normally provide a lot of information on which to base analysis, and the accumulation of data that would be required to fully analyse data could likely create vulnerabilities for systems. Things like requiring authentication are therefore very difficult.
• Because the amount of work required to translate packet addresses is small, the performance is typically very good.
• The configuration required for local network clients is small normally

Dial on demand

WinGate contains a dialer manager, that can access and control all dial up connections on the PC, be they through a traditional dial up to an ISP, an ADSL modem, or even AOL, as well as multiple instances of each.

WinGate can be configured so that if you have one ADSL connection and one dial up modem, it will attempt to use the ADSL first, and should that not succeed, then WinGate will fail over to the dial up connection, so that your users can always access the internet when needed.

You can also configure and assign access rights to each dial up connection profile in WinGate. In this way you can support multiple dialup accounts, and restrict access to each of those profiles.

Application proxies (WWW, FTP etc)

Transparent proxying

Transparent proxying is where connections made through WinGate on specified ports, are intercepted by a proxy server in WinGate.

This provides several benefits:

• The client applications (e.g. web browsers, or email clients), do not need to know about the existence of the proxy server, so there are no per-application setup requirements on your client machines. Clients are simply configured to use WinGate as their default gateway (standard NAT configuration), or use the WinGate Internet Client or SOCKS protocol.
• The benefits of the proxy server in terms of access control, policy enforcement, logging and auditing, and performance benefits (e.g. HTTP caching) come into play.
• Users cannot circumvent policy by avoiding going through the WinGate proxies, since the proxy intercepts the traffic outside of the user's control.

Connections are intercepted whether they are made by NAT, through the SOCKS service, or the WRP service. This means all traffic of a type may be forced through the application proxy, where the administrator then has the maximum control, and ability to specify policy in a single location.

Support for servers behind firewall

WinGate supports several ways to allow access to servers on your LAN from the Internet. These are:

• Redirect the port for incoming connections to your LAN-based server using the ENS
• Create a TCP or UDP mapping proxy to accept connections, and connect through to your LAN-based server
• On some proxies in WinGate, the non-proxy request configuration allows you to specify an internal server to forward requests to

The second method was the original method introduced in WinGate 1.0 in 1995, and is retained for compatibility. Because it is effectively using a proxy server, it has more control over policy than the above ENS-based method.

The third method is also an old one, however because the forwarding is handled by a proxy specific to the protocol being used, it has the most flexibility in terms of access control. For instance, if you use the WWW Proxy to forward inbound connections to an internal web server, you can also enforce authentication, or special policies.

Support for multiple connection types

Because of the architecture of WinGate, it is to a large extent network-hardware-independent. This means that it supports most types of network connection that is supported by the operating system.

WinGate proxies will work with any interface that has an IP address, this means any connection. The WinGate ENS driver supports any NDIS-based miniport, and NDISWAN connection.

Furthermore, WinGate's dial on demand capabilities allows it to control any dialup connection that is accessible through Windows dialup networking. Custom support for AOL dialup, and Hughes DirecWay (formerly DirecPC) satellite connections is also included.

Circuit-level proxies (SOCKS / WRP)

AOL / DirecPC connections

Features - Administration

Administrative features

User accounting

WinGate offers per user accounting, ideal for Network Administrators and Internet Cafes alike.

WinGate keeps track of such information as bytes sent to client, bytes recieved for client, and seconds online, as well as allowing user specified rates (charges) for each type.

Through a combination of this user accounting and WinGate policies, users can be restricted in their internet access, when they have spent too long online, or reached a download limit, for example.

Remote Administration

Using GateKeeper, the remote administration and management tool for WinGate, you can monitor and control Internet usage, and administer your gateway from remote locations.

Real-time activity monitoring

Real time activity monitoring is a feature of WinGate which allows you, when connected to WinGate with GateKeeper to view all activity of WinGate in real time. This includes client machines connected to the internet, machines on the internet connecting back to WinGate services, or internal maintenance tasks and system activity.

As well as being able to view activity in real time, you can also control it. If you see activity you do not like, you can terminate it. There are also simple shortcuts to blocking similar access in the future, such as:

• Blacklisting the IP address
• Banning the URL
• Disabling the user account

Secure Remote Command-line

WinGate provides access to the command shell processor on NT based operating systems (Windows NT, Windows 2000, Windows XP, and Windows 2003). This allows you to remotely and securely run multiple instances of the cmd.exe command interpreter on the remote server, allowing you to remotely perform operations such as:

• creation and deletion of files on the server
• modifications to the server route table using route.exe
• Check connectivity from the server using ping.exe or tracert.exe
• Reboot the server or other servers using Shutdown.exe
• Connect to network resources on the LAN connected to the server

You can choose the user account that the cmd.exe process is executed in, and the input and output is transferred over the encrypted GateKeeper control channel, providing security.

Centralised WinGate Client configuration

Traffic monitoring

WinGate allows you to monitor all traffic coming in to or going out of the WinGate machine.

Traffic information is displayed on a per-interface basis, thus allowing you to see how much traffic is coming in to the WinGate machine from your LAN, as well as how much is going out to the internet, and with what level of performance.

DHCP Services

DHCP is a means for networked computers to get their TCP/IP networking settings from a central server. Importantly, DHCP assigns IP addresses and other TCP/IP configuration parameters automatically.

WinGate DHCP is different from other DHCP servers, in that it can even figure out what IP addresses to allocate without the administrator having to predefine pools of addresses (scopes). It can also figure out how to set the clients' gateway and several other parameters too, which means that not even the administrator needs to be a TCP/IP expert to operate the WinGate DHCP server.

Full manual override of all automatic settings is also available in order to allow administrators to cater for their specific requirements.

Logging and user auditing

WinGate contains a comphrensive logging subsystem, which can record data in two different formats, database and text file, as well as store this information 3 different ways:

• Firstly there is per Service logging, which can record all session information that goes through each of the services / proxies that WinGate runs, such as WWW, FTP or SMTP.
• Secondly, there is per User logging, or Auditing, where all activity for specific users can be monitored and stored, for review at a later date. As well as all session information from all services, user authentications and data usage are also logged.
• Finally, there is History logging, which is a global database of all traffic which has passed through WinGate, and with the use of GateKeeper's History pane the last 2000 entries can be displayed, for quick and easy access to what has just happened on your server.

Scheduler

WinGate has a built-in scheduler that allows you to define tasks that will be performed on a regular basis or specific date and time. A large number of internal WinGate functions may be triggered in this way including:

• WinGate maintenance activities, such as rolling over log files etc
• enabling and disabling of user accounts
• Starting or stopping of WinGate services
• Purging the HTTP cache
• Executing command lines (e.g. external batch files or scripts)
• Dialing an internet connection
• plus others

You may run multiple tasks with any particular scheduled event that you define, and using GateKeeper you can force a scheduled event to be processed at any time. The progress of these events is displayed in the System Activity area of the activity panel in GateKeeper

Features - Performance

Features providing performance enhancements

Multiple simultaneous internet connections

You can use multiple Internet connections at the same time with WinGate, thereby increasing your system throughput. On a per-proxy basis in WinGate, you can specify multiple methods of using these multiple connections as well.

for instance you could:

• Specify that the WWW Proxy uses all your available internet connections
• Specify that another proxy uses only one of the connections, but if that becomes unavailable, to fail over to the next one

WinGate's gateway selection features also allows you to specify on a per service basis which gateway will be used, so if you had a combination of multiple DSL/NAT devices, network gateways, modems, etc, you could still specify which connections go through which gateway, even if they are on the same physical ethernet segment.

HTTP caching

The WWW Proxy in WinGate creates the opportunity for networks to gain greater efficiency and performance of web browsing.

In general the term caching relates to the act of storing the results of previous operations in the hope that future operations will be able to be satisfied by looking up the stored result, rather than having to fetch the result again.

Especially on large networks, where many users look at the same web pages, reductions in Internet traffic and improvements in speed can result by storing web pages returned as a result of one user's browsing, and returning that stored copy when another user requests the same page.

WinGate has sophisticated rules which allow the system administrator to specify what sorts of requests will be cached, and how the cache will be maintained (since you can't let a cache grow forever or you will run out of disk space).

Bandwidth management / throttling

WinGate allows you to control the way your available bandwidth is able to be used. Certain application such as streaming media players, internet radios, and others can soak up a lot of your available bandwidth, making core services such as email or web browsing suffer a performance degradation. Furthermore, restricting bandwidth available to certain applications is an effective method of discouraging people from using certain applications (such as file-sharing or peer to peer programs) without having to completely ban them (which people can often circumvent anyway).

With WinGate's bandwidth control functions, you can control bandwidth on a number of criteria:

• Per client IP address, or range thereof
• per source or destination port
• Per time of day (so you can apply different restrictions at different times)

The final control you have is scheduling priority. You can make certain services respond more quickly than others by giving a higher priority to the forwarding of packets related to that service.

DNS caching

WinGate includes a custom DNS resolver, which is used by WinGate services to resolve DNS queries. This DNS resolver was written so that WinGate could gain access to all the information returned by DNS servers to DNS requests. This information contains data relating to how long DNS records may be stored before they become stale. This allows WinGate to provide an effective and correct DNS cache.

DNS caching can greatly speed up the user experience of things such as web browsing. By storing (caching) the results of previous DNS lookups, keeping track of the freshness of the information, and returning cached information to clients on subsequent requests, DNS traffic can also be greatly reduced.

Features - Email

Email related features

POP3, SMTP, and IMAP4 servers

WinGate has a comprehensive POP3, SMTP and IMAP4 (version 6.1 or later) server built in. These servers support advanced authentication options, and secure connections for both delivery and reception of mail, allowing you to set up a secure email network accessible over untrusted networks such as the Internet.

Simple yet highly flexible domain and user-based delivery rules allow you to set up a comprehensive variety of scenarios, including:

• Catch-all mailboxes, where all mail for a domain goes to a specific mailbox
• Split domains, where mailboxes for a domain are hosted on more than one different server
• Forwarding domains

Flexible delivery options allow you to specify delivery requirements (such as authentication or secure connection requirements, or different port numbers) on a server by server basis where required.

Per-user restrictions are available, including maximum message sizes, redirecting mail, blocking file attachments per user, or copying mail to multiple recipients.

POP3 mailbox collection

WinGate can retrieve mail from POP3 mailboxes on other servers, and import them into the WinGate mail system for local or remote delivery.

The POP3 retrieval system allows you to parse retrieved emails, and deliver accordingly, or deliver all mail for a mailbox to a specific address.

If you have Kaspersky AntiVirus for WinGate installed and activated on your WinGate email, then retrieved emails will also be scanned for viruses.

Multiple security and authentication options
A range of security options are also available, including secure connection support using STLS, and various authentication methods including:

• plain USER/PASS
• NTLM (used for secure authentication to MS Exchange servers)
• CRAM-MD5
• APOP

By default WinGate will choose the most secure method available on the POP3 server that it is connecting to.

Attachment blocking

When an email has been received by the SMTP server in WinGate, before the WinGate SMTP server indicates that it will accept responsibility for delivery of the message, it scans it for unacceptable content. Should WinGate find any file attachments in the message that are denied, commonly executable files, then WinGate refuses to accept responsibility for the message.

The administrator can define any number of file extensions that will be denied, and apply this restriction to incoming and/or outbound mail.

Rejecting the message in this way reduces the workload on the server, and can filter out many attachments that are normally associated with viruses, such as executables and script files.

Multiple authentication options

Email in WinGate supports a number of authentication options, depending on which user database you are using, or which email clients.

For SMTP reception and delivery to remote SMTP servers WinGate supports:

• SASL PLAIN method
• SASL CRAM-MD5 method
• NTLM method

• USER/PASS method
• APOP method
• SASL PLAIN method
• SASL CRAM-MD5 method
• NTLM method

In addition, the methods for the SMTP server (reception) and POP3 server can be restricted to whether the connection has been secured by STLS or STARTTLS (equivalent for SMTP) or not, thereby removing the vulnerability of insecure authentication methods, by requiring that the connection be encrypted before an insecure method becomes available.

MS Outlook secure authentication

MicroSoft® Outlook only supports one type of secure authentication, which is via NTLM, against an NT database. With WinGate's built in ability to synchronise with such a database, Outlook users can authenticate with WinGate's SMTP and POP3 servers, sending their username and password to WinGate in an encrypted format rather than plain text.

Support for Antivirus data scanning

WinGate includes support for several plug-in components which are available separately. These data scanning components allow you to scan content passing through WinGate proxies. One component is an AntiVirus plugin, called Kaspersky AntiVirus for WinGate (KAVWG). The AntiVirus technology in this plugin is licensed from the well-respected Kaspersky Labs.

Several proxies and services in WinGate support scanning content for viruses using this plugin, these are:

• The SMTP server. This scans all received mail, and mail retrieved using POP3 collection
• The WWW proxy. This scans files as they are downloaded to your browser, and can detect not only files containing viruses (i.e. infected EXEs or ZIP files), but also iFrame exploits, and common attacks against web browsers.
• The POP3 Proxy. If you collect your email from a POP3 server on the Internet through WinGate's POP3 Proxy, you can also scan the email as it is being retrieved for viruses.
• The FTP proxy. Files being downloaded or uploaded can be scanned for viruses.

If a file fails scanning because it contains a virus, it is placed in WinGate's quarantine, where it may be released by the system administrator.

Anti-spam measures

WinGate's SMTP server gives the user a number of options to help prevent unsolicited email from being accepted by WinGate.

To start with, WinGate can use Open Relay Databases (ORDB) which are available on the internet based around a DNS lookup to check whether a computer connecting to WinGate is a known open relay or spammer.

WinGate will also optionally block invalid sender domains (i.e. domains that do not exist, or have specific properties - e.g. the MX record resolves to "localhost" or other disallowed records).

Finally, WinGate uses an SPF-style check if you enable "block spoofed sender addresses". The key difference between this check and SPF, is that SPF requires domains to specify valid senders by publishing an SPF DNS record. Most sites do not have one of these, so SPF is still not widespread enough to be used to verify most domains. WinGate's method - by using a combination of assumptions - can gain a high level of certainty about sites and domains that do not have published SPF records. Inevitably there will be some sites that do not pass WinGate's anti-spoofing checking, so there is a comprehensive white-list option to allow these through.

Remote Email Queue Management

With the email tab in GateKeeper you can easily manage several aspects your server mail queues. Functions include:

• Aborting delivery of mail to a domain (domain job)
• Retrying all delivery
• resetting the delivery try count on a domain job
• Deleting or bouncing specific messages from a particular domain job
• previewing messages in the queue

POP3 and SMTP proxies

In addition to the comprehensive POP3 and SMTP servers in WinGate, WinGate includes a POP3 proxy and an SMTP proxy.

The proxies differ from the servers in that they are intended to be connected through rather than connected to. E.g. if you connect to a POP3 server on the Internet, you may choose to connect through the POP3 proxy, and have it scan your email for viruses at the same time.

The SMTP proxy however we do not recommend you use unless you specifically do not wish to use the SMTP server in WinGate, or your license does not give you access to it (version 4.x license or earlier).

The POP3 proxy however is often used, since it is common to need to access a POP3 server on the Internet.

User quotas and restrictions

If you choose to let WinGate host your users' mailboxes, you can specify individual requirements on the users mailboxes, and email addresses.

You can specify the maximum amount of disk space that a user's mailbox may use.

Furthermore, for any email addresses whether associated with a local mailbox or destined to be forwarded to another server, you can specify additional restrictions, such as blocking attachments, setting a maximum message size, or copying the mail to other local or remote addresses.

Comprehensive message routing

Flexible delivery options

Secure connections (SSL/TLS)

Features - Access Control

Features related to controlling Internet access

Terminal services / multiple users per IP

WinGate 6.0 solves the problem of per-user policy where users are hosted on a terminal server.

Most proxy servers associate the IP address of the client machine with a single user at any one time. If there are many users logged into a terminal server which then connects out through such a proxy, all connections are from the same IP address. This means a traditional problem has been how to tell individual users apart for access to the Internet if they are logged into a terminal server.

WinGate 6.0 solves this problem with Multi-user Machine support. This allows individual authentication of users who are using a terminal server to access the Internet.

Normally, WinGate will associate user credentials with an IP address, and new sessions from that IP will inherit these credentials. However, if you specify the IP address of your terminal server in WinGate's Multi-User Machine dialog, credentials are no longer inherited for connections from that IP. This means that if your access policies require authentication, then every connection from that IP will have to be individually authenticated. This then allows per-user authentication from a terminal server.

Some protocols do not provide for authentication to a proxy server (such as DNS, file-sharing apps etc). This means this traffic may show up as belonging to the Guest user. If you install the WinGate Internet Client on the terminal server however, and are using the Windows or Active Directory user database in WinGate, then authentication of the logged in user becomes automatic (and uses their windows credentials). Furthermore all TCP connections made by the user will be associated with their credentials whether or not the application they are using supports proxy authentication.

User authentication options

WinGate supports several modes of operation, and methods for authentication.

Different sites and networks often have different policy requirements for access to internet services. In some cases the system administrator may wish to completely lock down the system, and only allow a restricted set of users to perform restricted activities. Other installations may allow more freedom.

To cater for these varying requirements, WinGate was developed to support various methods of operation in relation to user identification and validation, ranging from no authentication at all, through assuming who a user is based on their IP, through to forced authentication.

The way each of these options is selected is on a per-service or global basis by use of WinGate policies. Choosing the appropriate option on the user tab of the Policy editor in WinGate allows you to specify whether a user may be assumed, could be anyone or guest, or must authenticate with a strong authentication method to gain access to that right (i.e. rights to access a service, or perform a task in WinGate).

Further to this, if policy dictates that user authentication is to be used, there are several options available.

• WinGate's own secure MD5-based challenge response authentication method provided by the Remote Control Service in WinGate (used by GateKeeper, and the Java Client available through the WWW Proxy) [only available if you are using WinGate's built-in user database];
• MicroSoft's proprietary NTLM method. This method is integrated into client software such as MS Internet Explorer, or Outlook, and is available in WinGate in the Remote Control Service (for GateKeeper access), WWW Proxy, SMTP server, POP3 Server, and Winsock Redirection Service (for the WinGate Internet Client). [only available if you are using the Windows user database]
• HTTP Basic authentication for the WWW Proxy
• Several other mail specific options, such as CRAM-MD5, SASL PLAIN, APOP, and plaintext options.

• NTLM is only available if you choose to use the operating system's user database (i.e. Windows or Active Directory).
• In addition to the above, users can make use of plaintext (insecure) authentication in Telnet, HTTP or SOCKS 5 to achieve an assumed level of authentication.
• Ability to use NTLM authentication in the WWW Proxy is Available only to WinGate 6 Pro and Enterprise

Support for AI content filtering

WinGate includes support for several plug-in components which are available separately. These data scanning components allow you to scan content passing through WinGate proxies. One component, a Content Filter in association with Icognito, is PureSight, which will scan WWW traffic, for undesirable content.

A number of different categories exist that cover common topics that users may wish to block from their network. These range from sex and gambling, through to sport sites, job seeking, and web mail.

There is also a number of different ways content can be blocked, be it via the AI, a match with a listing on a global database, or by a user customisable ban list.

Active Directory integration

WinGate (version 6.0 and later) has the ability to intergrate and synchronise with an Active Directory User Database, be it on the local or a remote machine.

This allows you to set up internet access policies in WinGate based on your current setup of users and groups in AD, instead of having to recreate them all, as well as allowing you to use NTLM authentication for such services as SMTP, WWW, and POP3.

For inforamtion on non Active Directory user database's see the link on the features page

In-built or OS user database

WinGate doesn't have to use it's own user database. It can use an existing NT database (Windows NT and later OS's are supported, with the exception of XP Home edition). This can be a local or remote NT database, or even a local or remote domain controller.

This allows you to set up internet access policies in WinGate based on your current setup of users and groups in Windows, instead of having to recreate them all, as well as allowing you to use NTLM authentication for such services as SMTP, WWW, and POP3.

For information about Active Directory see the link on the features page

User and group management

The core of any secured access control system is user management. You can't provide per-user rules, or restrict access on a per-user basis without some concept of what a user is.

WinGate allows for use of several user databases. Firstly, for those operating systems that do not provide a built-in user database (such as Windows 95, 98, ME, and XP Home), WinGate provides its own built-in user database. For other Windows operating systems, you may alternatively choose to use the user database that is made available in the Operating System itself, thereby avoiding the necessity to set up and maintain an additional user database. This can be extremely useful for users of large databases. Additionally, WinGate can use a remote user database hosted on an Active Directory, Domain Controller, or even NT Workgroup.

If using the WinGate User Database, then you can create as many Users and Groups as you need, for example having groups for different departments in your company, and having groups that will be allowed to access the internet, and groups that wont. You can also have nested groups - groups within groups, to more accurately model your organisational structure.

Of course you may already have these set up on the servers on your network, in which case you can point WinGate at the machine which holds your user database, and it will synchronise with all your predefined users and groups.

No matter which user database you prefer, it is through these that you can then configure WinGate to control access to specific internet services, in conjunction with authentication and system and service policies.

Global and per-service policies

Advanced policy criteria

Features - Security

Features related to security

Support for Antivirus data scanning

WinGate includes support for several plug-in components which are available separately. These data scanning components allow you to scan content passing through WinGate proxies. One component is an AntiVirus plugin, called Kaspersky AntiVirus for WinGate (KAVWG). The AntiVirus technology in this plugin is licensed from the well-respected Kaspersky Labs.

Several proxies and services in WinGate support scanning content for viruses using this plugin, these are:

• The SMTP server. This scans all received mail, and mail retrieved using POP3 collection
• The WWW proxy. This scans files as they are downloaded to your browser, and can detect not only files containing viruses (i.e. infected EXEs or ZIP files), but also iFrame exploits, and common attacks against web browsers.
• The POP3 Proxy. If you collect your email from a POP3 server on the Internet through WinGate's POP3 Proxy, you can also scan the email as it is being retrieved for viruses.
• The FTP proxy. Files being downloaded or uploaded can be scanned for viruses.

If a file fails scanning because it contains a virus, it is placed in WinGate's quarantine, where it may be released by the system administrator.

Stateful packet-level firewall

WinGate's ENS component provides for a number of features at the packet level. Because of where the WinGate ENS driver hooks into the networking subsystem of your computer, it sees all incoming packets before Windows itself does. This means WinGate's firewall can protect your system by blocking access to ports that you specify.

The firewall also is stateful in that it maintains a database of all connections through the system, and knows which state they are in. This allows WinGate to block certain attacks that other non-stateful firewalls cannot.

Additionally the firewall in WinGate can also harden your system against certain attacks on ports that you need to leave open for external access. For example if you are running a public web server, or mail server on the same machine as WinGate, the firewall can provide SYN flood protection and a number of other protective mechanisms.

SYN-cookies

Syn cookies allow WinGate to control a session of packets before they are allowed to even enter the port by keeping track of valid Ack requests from a host on the Internet, so that bogus packets (which can be used in a Network attack called a SynFlood type of attack) will have less chance to penetrate WinGate’s defences.

This option is not ticked by default to allow for maximum application session compatibility and should only be implemented by administrators who are experienced with TCP session mechanisms.

DMZ Support

WinGate allows you to define interfaces as being connected to certain types of network:

• Internal network (i.e. your LAN)
• External network (i.e. the Internet)
• a de-militarized zone (DMZ)

A network connected to a DMZ interface in WinGate is protected from the Internet, and also firewalled from Internal Interfaces. You have separate control over which ports are available from the Internet, but the key difference between a DMZ interface, and an Internal interface, is that packets going from the DMZ to the Internet are not address translated (NAT is not performed), therefore the machines on the DMZ must have public IP addresses.

Application execution control

With a lot of todays network attacks coming from within the corporate LAN, be it from an employee unwittingly receiving virus infected emails, or deliberately running malicious applications; controlling what occurs on your network is all important.

WinGate, in conjunction with the WinGate Internet Client (WGIC), allows remote client lockdown to prevent undesirable applications from running.

Whenever a program on a client machine loads up, if it uses any sort of networking that uses Windows Sockets, and attempts to make a socket connection, the WinGate Internet Client will intercept it, and check with WinGate if the program is allowed to run or not. WinGate can be configured to give a variety of responses, ranging from allowing the program to have global internet access, to not even be able to run on the local client machine.

Secure connections (SSL access to proxies)

Features - Reliability

Features related to improving system reliability

Internet connection failover

In conjunction with Gateway Monitoring, but also handling dialup connections, the Connection failover features in WinGate are flexible and comprehensive.

Should an internet connection become unavailable, either by virtue of a dialup connection failing to connect, or an internet gateway becoming unavailable, then the administrator can set up policy for how to fail over to another connection. This policy may be set on a per-service basis in WinGate, and concerning dialup connections there is a global precedence of connections that may also be applied.

This allows for instance the WWW Proxy to fail over to one circuit, but email to fail over to a different backup circuit in the event of a failure in connectivity.

The unavailable gateways are still monitored, so if they become re-available, they will be used again

Server redundancy options

Normally options for server redundancy are limited. Apart from the obvious hardware redundancy options, if you choose to deploy and use the WinGate Internet Client on your networks, then you have a further opportunity to provide fail-over services in the event of a system crash.

By deploying the WinGate Internet Client, then installing several WinGate servers (whether they each have a connection, or share connections), then if one server becomes unavailable, the automatic discovery mechanism used by the WinGate Internet Client will kick in and find the fall-back server.

This allows the client machines to maintain access to the Internet even though the main gateway may have been disabled.

Internet gateway monitoring

WinGate can monitor gateway machines on the same ethernet segment. By using a periodic ARP request, WinGate learns of failures to gateway machines. Upon such failures, WinGate marks that gateway as unusable, and the gateway selection features and connection failover features will (depending on your configuration) switch over to an alternative connection.

Administrators can specify different schemas for failover on a per-service basis, allowing for instance the WWW Proxy to fail over to one circuit, but email to fail over to a different backup circuit.

The unavailable gateways are still monitored, so if they become re-available, they will be used again.

Automatic system reconfiguration

Download

Download WinGate

Download WinGate Help File

Download Wingate Install Guide

Buy Now