When assigning recipients to a right in a System or Service policy, there are a number of configurable options that you can apply to the Policy recipient.

Recipient tab

The Recipient tab in the Policies configuration specifies who is the recipient of the right you are editing.

You may choose Everyone, or specify a user or group.

The Administrator can choose from three levels of authentication (learn more about these methods of authentication here):

  • Selecting the User must be authenticated option lets you require users to authenticate with WinGate
  • Selecting the User may be assumed option allows authenticated and assumed users, but non-authenticated users from an unknown location will be denied
  • Selecting User may be unknown means that this recipient applies to anyone.

Location tab

The Location tab is used to restrict the locations where the recipient can use the right.

A user connecting from any of the included locations is a valid recipient.

A user connecting from any of the excluded locations is not a valid recipient.

This allows you to restrict rights based on the location of the user.

You can specify rights that are available from:

  • Everywhere
  • A range of IP numbers (by use of a filter), or
  • A single IP

In order for the right to be granted, the IP number of the computer that the user is on must match at least one Included location, and must not match any of the excluded locations.

An IP Filter can contain wild cards, allowing you to specify a range of IP addresses.

By using wild cards (e.g. the characters ? and *) you can tell WinGate to ignore certain parts of the IP address when comparing against the location restrictions.

These wild cards work in the same way as they do for DOS filenames, so if you are familiar with this then this concept should be easy.

Time Tab

The Time tab allows you to specify when the recipient has rights.

You can specify always, or you can specify times when the recipient has the rights, and times when the recipient does not have the rights.

You do this by adding time-slices to the included times or excluded times.

If you choose to specify when the recipient has rights, then you must add an included time for when you want the right to apply.

You can specify times on a regular or one-off basis, so you can set up rules like "every weekday from 09:00:00 to 17:00:00" or "From 12-Jan-97 12:00:00 to 13-Jan-97 12:00:00".

Ban List tab

The Ban List tab is the most useful tab for limiting users access.

This list bans anything that matches any of the criteria. In the example above, no one can access the server ''. Bans can be made globally with Default Rights, or configured on a per-service basis.


To add a Global ban for

  1. Open GateKeeper.
  2. Log on as Administrator.
  3. Open Users tab and select System Policies
  4. Edit the Everyone recipient.
  5. Select the Ban list tab
  6. Select Enable ban list check box.
  7. Click Add .
  8. Select This criterion met if, Server name, equals'
  9. Enter the name you wish to ban, i.e.
  10. Click OK.

The ban will then appear in the Banned criteria list.


  • A recipient is banned if any criteria match the global or service ban list.
  • Anything you ban is inaccessible for that recipient .
  • It is easier to ban URLs containing certain words than complete URLs or sites.
  • You can deny access to certain parts of a site with a ban of URL contains ''. This will allow access to any other part of a site. This can be used for access control depending on logged on user or group.

Advanced Tab

The Advanced tab allows you to place restrictions on the request that a user can make when accessing a service. You can specify combinations of required and banned criteria in order to limit the requests your users can make.

If you choose to specify which requests the recipient has rights for then you specify filters and criteria. If you specify no included criteria, then there are no restrictions. This dialog follows the same logic as the Caching tabs

(Click here to read more on setting rules,filters, and criterion)

Think of this dialog as adding restrictions to the request.

You have access to a number of variables when specifying a criterion. Here is the list of variables that you have access to when setting up criteria.

In this list, All means all services except DHCP.

Variable VariableType Services Description
Client IP number String All The IP address the user is connected from
Client port number Number All The port number on the clients computer
Client Netbios name String All + DHCP The network name of the computer connecting
Client MAC address String All + DHCP The MAC address of the LAN adapter in the requesting computer
Client is a DHCP client True/False All The connecting computer has an IP assigned by WinGate.
Server name String All The name or IP of the server the client has asked to be connected to
Server port number Number All The port number on the server the client has asked to be connected to
User: Username String All The username (in WinGate) of the client. This is the account to which data and time will be recorded
User: Authentication level Number All The user authentication level. 0 = unknown user 1 = Assumed 2 = Authenticated.
User: Bytes sent to client Number All The number of bytes sent to date to the client from WinGate
User: Bytes received from client Number All The number of bytes received to date from the client by WinGate
User: Bytes sent for client Number All The number of bytes sent to date by WinGate on behalf of the client (e.g. to servers)
User: Bytes received for client Number All The number of bytes received to date by WinGate on behalf of the client (e.g. to servers).
User: Seconds on line Number All The number of seconds the user has been accessing WinGate to Date
User: Account balance Number All The users account balance
Session description String All Description of session
HTTP Protocol String WWW The protocol the user has requested in the URL, e.g. http, ftp, wais, ssl, gopher
HTTP Method String WWW The HTTP command sent by the user, e.g. GET, HEAD, LIST, PUT, CONNECT, POST
HTTP Resource String WWW The file requested by the user
HTTP URL String WWW The full URL
HTTP POST data String WWW The contents of any form sent using the POST method
HTTP Query string String WWW The contents of the query string. This is normally the contents of a form posted by the GET method
HTTP Header field String WWW Any specified HTTP request header as defined in the HTTP protocol standard. You must supply the name of the field e.g. "User-Agent", "If-Modified-Since", etc
Is Non-proxy method True/False All Proxies Whether the request was a non-proxy request
Session was handed over True/False WWW Whether the session was handed over from SOCKS
POP3 Username String POP3 The username of the POP3 mailbox the user is accessing
FTP Username String FTP The username on the FTP server the user is accessing
VDOLive File String VDOLive The file requested by the VDOLive player
SOCKS Protocol version Number SOCKS The SOCKS protocol version number - 4 or 5 are valid
SOCKS Command Number SOCKS the SOCKS command 1 = connect2 = bind3 = UDP associate (SOCKS5 only)
SOCKS Address type Number SOCKS the SOCKS address type (relevant for SOCKS5 requests only)1 = IP42 = Name 3 = IP6 (not supported)

The variable type determines what comparisons you can make with that variable. If the variable is a number, you can check whether a number you specify is greater than, less than, or equal to the variable you select.

If the variable is a string then you can apply comparisons such as "contains", "begins with", "ends with" or is "empty".

Additional Links




Forgot your password?


Subscribe to company news