When assigning recipients to a right in a System or Service policy, there are a number of configurable options that you can apply to the Policy recipient.
The Recipient tab in the Policies configuration specifies who is the recipient of the right you are editing.
You may choose Everyone, or specify a user or group.
The Administrator can choose from three levels of authentication (learn more about these methods of authentication here):
- Selecting the User must be authenticated option lets you require users to authenticate with WinGate
- Selecting the User may be assumed option allows authenticated and assumed users, but non-authenticated users from an unknown location will be denied
- Selecting User may be unknown means that this recipient applies to anyone.
The Location tab is used to restrict the locations where the recipient can use the right.
A user connecting from any of the included locations is a valid recipient.
A user connecting from any of the excluded locations is not a valid recipient.
This allows you to restrict rights based on the location of the user.
You can specify rights that are available from:
- A range of IP numbers (by use of a filter), or
- A single IP
In order for the right to be granted, the IP number of the computer that the user is on must match at least one Included location, and must not match any of the excluded locations.
An IP Filter can contain wild cards, allowing you to specify a range of IP addresses.
By using wild cards (e.g. the characters ‘?’ and ‘*’) you can tell WinGate to ignore certain parts of the IP address when comparing against the location restrictions.
These wild cards work in the same way as they do for DOS filenames, so if you are familiar with this then this concept should be easy.
The Time tab allows you to specify when the recipient has rights.
You can specify always, or you can specify times when the recipient has the rights, and times when the recipient does not have the rights.
You do this by adding time-slices to the included times or excluded times.
If you choose to specify when the recipient has rights, then you must add an included time for when you want the right to apply.
You can specify times on a regular or one-off basis, so you can set up rules like "every weekday from 09:00:00 to 17:00:00" or "From 12-Jan-97 12:00:00 to 13-Jan-97 12:00:00".
Ban List tab
The Ban List tab is the most useful tab for limiting users access.
This list bans anything that matches any of the criteria. In the example above, no one can access the server 'Naughty.com'. Bans can be made globally with Default Rights, or configured on a per-service basis.
To add a Global ban for www.naughty.com:
- Open GateKeeper.
- Log on as Administrator.
- Open Users tab and select System Policies
- Edit the Everyone recipient.
- Select the Ban list tab
- Select Enable ban list check box.
- Click Add .
- Select This criterion met if, Server name, equals'
- Enter the name you wish to ban, i.e. www.naughty.com
- Click OK.
The ban will then appear in the Banned criteria list.
- A recipient is banned if any criteria match the global or service ban list.
- Anything you ban is inaccessible for that recipient .
- It is easier to ban URLs containing certain words than complete URLs or sites.
- You can deny access to certain parts of a site with a ban of URL contains 'www.servername.com/dir1/dir2/'. This will allow access to any other part of a site. This can be used for access control depending on logged on user or group.
The Advanced tab allows you to place restrictions on the request that a user can make when accessing a service. You can specify combinations of required and banned criteria in order to limit the requests your users can make.
If you choose to specify which requests the recipient has rights for then you specify filters and criteria. If you specify no included criteria, then there are no restrictions. This dialog follows the same logic as the Caching tabs
Think of this dialog as adding restrictions to the request.
You have access to a number of variables when specifying a criterion. Here is the list of variables that you have access to when setting up criteria.
In this list, All means all services except DHCP.
|Client IP number||String||All||The IP address the user is connected from|
|Client port number||Number||All||The port number on the client’s computer|
|Client Netbios name||String||All + DHCP||The network name of the computer connecting|
|Client MAC address||String||All + DHCP||The MAC address of the LAN adapter in the requesting computer|
|Client is a DHCP client||True/False||All||The connecting computer has an IP assigned by WinGate.|
|Server name||String||All||The name or IP of the server the client has asked to be connected to|
|Server port number||Number||All||The port number on the server the client has asked to be connected to|
|User: Username||String||All||The username (in WinGate) of the client. This is the account to which data and time will be recorded|
|User: Authentication level||Number||All||The user authentication level. 0 = unknown user 1 = Assumed 2 = Authenticated.|
|User: Bytes sent to client||Number||All||The number of bytes sent to date to the client from WinGate|
|User: Bytes received from client||Number||All||The number of bytes received to date from the client by WinGate|
|User: Bytes sent for client||Number||All||The number of bytes sent to date by WinGate on behalf of the client (e.g. to servers)|
|User: Bytes received for client||Number||All||The number of bytes received to date by WinGate on behalf of the client (e.g. to servers).|
|User: Seconds on line||Number||All||The number of seconds the user has been accessing WinGate to Date|
|User: Account balance||Number||All||The user’s account balance|
|Session description||String||All||Description of session|
|HTTP Protocol||String||WWW||The protocol the user has requested in the URL, e.g. http, ftp, wais, ssl, gopher|
|HTTP Method||String||WWW||The HTTP command sent by the user, e.g. GET, HEAD, LIST, PUT, CONNECT, POST|
|HTTP Resource||String||WWW||The file requested by the user|
|HTTP URL||String||WWW||The full URL|
|HTTP POST data||String||WWW||The contents of any form sent using the POST method|
|HTTP Query string||String||WWW||The contents of the query string. This is normally the contents of a form posted by the GET method|
|HTTP Header field||String||WWW||Any specified HTTP request header as defined in the HTTP protocol standard. You must supply the name of the field e.g. "User-Agent", "If-Modified-Since", etc|
|Is Non-proxy method||True/False||All Proxies||Whether the request was a non-proxy request|
|Session was handed over||True/False||WWW||Whether the session was handed over from SOCKS|
|POP3 Username||String||POP3||The username of the POP3 mailbox the user is accessing|
|FTP Username||String||FTP||The username on the FTP server the user is accessing|
|VDOLive File||String||VDOLive||The file requested by the VDOLive player|
|SOCKS Protocol version||Number||SOCKS||The SOCKS protocol version number - 4 or 5 are valid|
|SOCKS Command||Number||SOCKS||the SOCKS command 1 = connect2 = bind3 = UDP associate (SOCKS5 only)|
|SOCKS Address type||Number||SOCKS||the SOCKS address type (relevant for SOCKS5 requests only)1 = IP42 = Name 3 = IP6 (not supported)|
The variable type determines what comparisons you can make with that variable. If the variable is a number, you can check whether a number you specify is greater than, less than, or equal to the variable you select.
If the variable is a string then you can apply comparisons such as "contains", "begins with", "ends with" or is "empty".