Documentation for WinProxy

The Users Tab

The Users Tab lets you determine which users have access to the Internet through WinProxy. Each user is designated by computername or IP address; a user's access can be restricted by choosing which protocols he or she is allowed to use, and when.

Figure 4.1: The Users Tab under Settings allows you to determine who has access to the Internet through WinProxy.

When the Unless otherwise specified, permit access only between box is checked, all users will be limited to the specified time window. This feature permits those with direct access (such as cable modems or ISDN routers) to restrict Internet access. The other allowed time-window option in WinProxy applies only to dial-up connections. These time restrictions will affect all groups. Different time restrictions for individual groups can be set in the Edit Users Dialog.

For those users with a dial-up connection who enable both time-window restrictions, the rule is: the most restrictive one wins. Or, to put it another way, both functions must permit a connection or you can't get out to the Internet.

The weekday only box works the same as it does on the other time options. There are two ways to administer users in WinProxy:

This restriction applies to both internal and external IP addresses. If you have an incoming connection setup (such as an internal mail or web server), checking this option disables access for all outside users. We show a way around this restriction below.

NOTE:User administration can be done on either a user basis or a group basis. Each entry in this list is essentially a group, which can have up to 500 users. If you don't have many users, you can assign a different group for each user.

The entries in Figure 4.1 shows the users as currently configured, and allows you to make new additions:

• To Add a new user group click New
• To Modify an existing group, select the group you wish to modify and click Edit
• To Remove an existing group, select the group you wish to modify, and click Delete

Edit Users Dialog

When you click Edit or New, you'll see the Edit Users Dialog, which allows you to either (1) enter information required to establish a user group, or (2) modify information about an existing group. A group has a group name, as well as a list of IP addresses in that group. Each group has from 0 to 500 users who can access the Internet under the same rights.

You can use either a computername or an IP address to add computers to the group. If you use the name, it must be the name of the computer, not the name of the person. When using a name, WinProxy will immediately try to resolve the name. If it cannot, you won't be allowed to add it to the group.

The best and easiest way to ensure resolution is to have the computername listed in WinProxy's Namelist file (you can get access to that under Protocols - DNS). Otherwise, make sure the computername is spelled correctly and the computer is online and connected to your network when you add the name.

Names will generally work well here and they're certainly easier to read and recognize, but for the most consistent results you should use IP addresses to designate members of a group.

Figure 4.2:

There is one wild-card that is allowed when defining user groups by IP address - the symbol '*'. As an example, the IP address "90.0.0.*" would be interpreted as "any member of the 90.0.0 network". This wild-card can only be used in the right-most field - that is, "90.0.*" is a legal construction, but "90.0.*.0" is not. This wild-card can come in very handy when you are defining entire subnets with the same access.

Figure 4.3:

Figure 4.4:

These examples show a way to use the wild-card to your advantage. In this case, the boss is allowed access to everything, and everybody else on that network is allowed only to use the HTTP protocol. When you have users in overlapping groups, then the most specific IP designation wins. In this case, 90.0.0.2 is more specific that 90.0.0.*. As we mentioned before, if you have the actual IP address 90.0.0.2 mentioned in more than one group -and therefore with identical levels of specificity - the results are unpredictable. If you use it like we have shown here, it will work reliably. We'll cover a further use of this feature a little later in the chapter.

Now that you have a group defined, you can configure the kinds of access that the group is allowed. Let's start with protocols. In the example below, every machine in the "Consumer Affairs" group (except ".54," which hasn't yet been added) is allowed to use the web, get mail and news, and utilize Socks. No user is permitted to do FTP or telnet. This group does not have time restrictions separate from any that affect all groups, those set on the main Users tab.

Figure 4.5: As configured here, no user in this group can utilize FTP or Telnet.

Now let's take a look at using time to enforce user access. There are two places to enter time restrictions within the Edit User dialog. The Time Restrictions box in the center of the Edit User dialog governs the connections made by each member of the group.

Restrictions can be further defined by using the Restrict access to protocols section. Here, you can set separate time restrictions, protocol by protocol. Once a protocol is enabled (by checking the box next to it), select it by clicking on its name. The time boxes are now available for your use. Since time restrictions can be set up in several places (including Dial-Up Setup) it is possible to have conflicting time rules for an individual or a set of users. In these cases, the most restrictive rule will prevail.

Figure 4.6: Since HTTP is enabled, you may edit the time restrictions.

Figure 4.7: FTP is disabled, so the time restriction controls are grayed out.

NOTE:Experienced network administrators may have noticed the little "gotcha!" in the example above. Since users are allowed to utilize the Socks protocol, they can still do FTP through their browsers if their browsers are configured for Socks protocol. If Socks is available, browsers may use it for many functions that otherwise might be restricted.

Other options: The option Do Not Enforce Site Restrictions can be used to allow privileged access to a group of users. When enabled, no machine in the defined group will have Blacklist, Whitelist, or SmartFilter restrictions enforced. Bosses like it.

Advanced: The advanced properties can be employed to send users to a different mail server in Classic Proxy.

NOTE:This feature is only useful to users whose mail applications are set up to use a Classic Proxy. Transparent Proxy is not affected by this setting.

Select this item if a particular group requires a different mail server. When Use a different Mail Server is enabled and configured, every machine in the group with mail applications configured to use a proxy uses a different mail and POP server than specified within the WinProxy Mail Setup. Mail apps which use Transparent proxy are unaffected.

Although most networks can be accommodated with a single mail server, occasions arise where a particular user or group needs access to a different mail server. This is where the address of the POP3 and SMTP server should be entered. All users in this group will be connected to the specified POP3 and SMTP servers. This feature is not supported for IMAP4.

Figure 4.8:

Using Wildcards with Site Restrictions

WinProxy supports use of the * wildcard in configuring User-restricted IP addresses. For instance, if everybody on the 90.0.0.x subnet is part of a group, type in 90.0.0.* as the IP address for the entire group rather than typing in each individual address.

Larger groupings are legal, as well. For instance, the IP address 192.168.* applies to any machine whose IP address begins with those numbers. You can carry this to the logical extreme: the IP address * is considered a legal address meaning "any possible IP address." Overlaps are possible when using wildcards; the rule is that the most specific designation wins. It doesn't matter in which order you enter the groups and restrictions in the user settings.

With careful forethought you can use the wildcard and internal and external IP addresses to enhance the security of almost any complex setup. An example would be the user or business with an internal mail server. The nature of SMTP decrees that you can't know ahead of time which server on the net will forward mail to your server-but you do know that your mail server must allow incoming connections at any time, day or night.

This situation becomes difficult when you want to use the option refuse access to all users except. At first glance it seems that you can't restrict access and still allow mail through an incoming port to an internal email server. Here's how to get around that:

• Enable the option refuse access to all users except those listed here.
• Define a group as "Incoming Mail." Use the IP address "*"(see note, immediately below) to specify the group IP address, and allow that group to use only the mail protocol.
• Define another group by a name such as "Internal Users." Give this group the IP address 90.0.0.* (see note, immediately below) and allow it to use any protocol.

NOTE:Since the more specific 90.0.0 wins, all internal users can do anything, but everybody else- including the incoming connections on port 25-are allowed use of the mail protocol and nothing else. You can, of course, increase the restrictions on your local users or define multiple groups.