WinGate Proxy Server

WinGate Proxy Server is a sophisticated integrated Internet gateway and communications server designed to meet the control, security and communications needs of today's businesses. In addition to a comprehensive range of features, WinGate Proxy Server's license options provide you the flexibility to match your needs to your budget, whether you need to manage an enterprise, small business, or home network.

Key Functions

WinGate Proxy Server allows you to:

• Provide secure and managed Internet access for your entire network via a single or multiple shared internet connections
• Enforce advanced and flexible access-control and acceptable use policies
• Monitor usage in real time, and maintain per-user and per-service audit logs.
• Stop viruses, spam and inappropriate content from entering your network
• Provide comprehensive internet and intranet email services.
• Protect your servers from internal or external threats.
• Improve network performance and responsiveness with web and DNS caching
• Ease administration burdens on your internal networks.

Key Benefits

Using WinGate Proxy Server to actively manage the use of your Internet and network resources can provide many benefits, including:

• Improved Employee productivity through reduced time wastage
• Reduced time and resources required to maintain network integrity
• Reduced Employer liabilities
• Improved efficiency, responsiveness and reliability of network access

Internet Sharing

WinGate Proxy Server will share most types of Internet connection, allowing multiple users to simultaneously surf the web, retrieve their email, or use other internet programs, as if they were directly connected to the Internet. Whether it is a simple dialup modem or high speed fibre, WinGate Proxy Server can help to make the most out of the connection. WinGate Proxy Server supports a wide variety of Internet protocols, allowing applications such as Web browsers, messaging software, FTP and SSL. WinGate Proxy Server also supports DirectPlay Internet games and Real Time Streaming Audio/Video.

Control Internet Access

With WinGate Proxy Server's user database and policies, administrators can limit and control user access to the Internet. With logging, auditing, and a real time activity and history viewer, detailed records of user activities can be easily examined. This makes WinGate Proxy Server ideal for companies, schools, Internet cafes or any environment where Internet access needs to be monitored closely.

Built-in Security

WinGate Proxy Server comes with a built-in packet-inspecting firewall. Your network safety can be further enhanced with optional plug-in components, available seperately, which will scan incoming data for viruses, or filter out inappropriate content in web traffic. Read how WinGate Proxy Server has helped some of the 750,000 + registered customers to make the most of their Internet connection.

Features - Reliability

Features related to improving system reliability

Internet gateway monitoring

WinGate can monitor gateway machines on the same ethernet segment. By using a periodic ARP request, WinGate learns of failures to gateway machines. Upon such failures, WinGate marks that gateway as unusable, and the gateway selection features and connection failover features will (depending on your configuration) switch over to an alternative connection.

Administrators can specify different schemas for failover on a per-service basis, allowing for instance the WWW Proxy to fail over to one circuit, but email to fail over to a different backup circuit.

The unavailable gateways are still monitored, so if they become re-available, they will be used again.

Automatic system reconfiguration

Internet connection failover

In conjunction with Gateway Monitoring, but also handling dialup connections, the Connection failover features in WinGate are flexible and comprehensive.

Should an internet connection become unavailable, either by virtue of a dialup connection failing to connect, or an internet gateway becoming unavailable, then the administrator can set up policy for how to fail over to another connection. This policy may be set on a per-service basis in WinGate, and concerning dialup connections there is a global precedence of connections that may also be applied.

This allows for instance the WWW Proxy to fail over to one circuit, but email to fail over to a different backup circuit in the event of a failure in connectivity.

The unavailable gateways are still monitored, so if they become re-available, they will be used again

Server redundancy options

Normally options for server redundancy are limited. Apart from the obvious hardware redundancy options, if you choose to deploy and use the WinGate Internet Client on your networks, then you have a further opportunity to provide fail-over services in the event of a system crash.

By deploying the WinGate Internet Client, then installing several WinGate servers (whether they each have a connection, or share connections), then if one server becomes unavailable, the automatic discovery mechanism used by the WinGate Internet Client will kick in and find the fall-back server.

This allows the client machines to maintain access to the Internet even though the main gateway may have been disabled.

Features - Security

Features related to security

Stateful packet-level firewall

WinGate's ENS component provides for a number of features at the packet level. Because of where the WinGate ENS driver hooks into the networking subsystem of your computer, it sees all incoming packets before Windows itself does. This means WinGate's firewall can protect your system by blocking access to ports that you specify.

The firewall also is stateful in that it maintains a database of all connections through the system, and knows which state they are in. This allows WinGate to block certain attacks that other non-stateful firewalls cannot.

Additionally the firewall in WinGate can also harden your system against certain attacks on ports that you need to leave open for external access. For example if you are running a public web server, or mail server on the same machine as WinGate, the firewall can provide SYN flood protection and a number of other protective mechanisms.

Support for Antivirus data scanning

WinGate includes support for several plug-in components which are available separately. These data scanning components allow you to scan content passing through WinGate proxies. One component is an AntiVirus plugin, called Kaspersky AntiVirus for WinGate (KAVWG). The AntiVirus technology in this plugin is licensed from the well-respected Kaspersky Labs.

Several proxies and services in WinGate support scanning content for viruses using this plugin, these are:

• The SMTP server. This scans all received mail, and mail retrieved using POP3 collection
• The WWW proxy. This scans files as they are downloaded to your browser, and can detect not only files containing viruses (i.e. infected EXEs or ZIP files), but also iFrame exploits, and common attacks against web browsers.
• The POP3 Proxy. If you collect your email from a POP3 server on the Internet through WinGate's POP3 Proxy, you can also scan the email as it is being retrieved for viruses.
• The FTP proxy. Files being downloaded or uploaded can be scanned for viruses.

If a file fails scanning because it contains a virus, it is placed in WinGate's quarantine, where it may be released by the system administrator.

Application execution control

With a lot of todays network attacks coming from within the corporate LAN, be it from an employee unwittingly receiving virus infected emails, or deliberately running malicious applications; controlling what occurs on your network is all important.

WinGate, in conjunction with the WinGate Internet Client (WGIC), allows remote client lockdown to prevent undesirable applications from running.

Whenever a program on a client machine loads up, if it uses any sort of networking that uses Windows Sockets, and attempts to make a socket connection, the WinGate Internet Client will intercept it, and check with WinGate if the program is allowed to run or not. WinGate can be configured to give a variety of responses, ranging from allowing the program to have global internet access, to not even be able to run on the local client machine.

DMZ Support

WinGate allows you to define interfaces as being connected to certain types of network:

• Internal network (i.e. your LAN)
• External network (i.e. the Internet)
• a de-militarized zone (DMZ)

This provides the capability to set up a DMZ connected to any interface specified by you as being of that type.

A network connected to a DMZ interface in WinGate is protected from the Internet, and also firewalled from Internal Interfaces. You have separate control over which ports are available from the Internet, but the key difference between a DMZ interface, and an Internal interface, is that packets going from the DMZ to the Internet are not address translated (NAT is not performed), therefore the machines on the DMZ must have public IP addresses.

Secure connections (SSL access to proxies)

SYN-cookies

Syn cookies allow WinGate to control a session of packets before they are allowed to even enter the port by keeping track of valid Ack requests from a host on the Internet, so that bogus packets (which can be used in a Network attack called a SynFlood type of attack) will have less chance to penetrate WinGate's defences.
This option is not ticked by default to allow for maximum application session compatibility and should only be implemented by administrators who are experienced with TCP session mechanisms.

Features - Performance

Features providing performance enhancements

HTTP caching

The WWW Proxy in WinGate creates the opportunity for networks to gain greater efficiency and performance of web browsing.

In general the term caching relates to the act of storing the results of previous operations in the hope that future operations will be able to be satisfied by looking up the stored result, rather than having to fetch the result again.

Especially on large networks, where many users look at the same web pages, reductions in Internet traffic and improvements in speed can result by storing web pages returned as a result of one user's browsing, and returning that stored copy when another user requests the same page.

WinGate has sophisticated rules which allow the system administrator to specify what sorts of requests will be cached, and how the cache will be maintained (since you can't let a cache grow forever or you will run out of disk space).

DNS caching

WinGate includes a custom DNS resolver, which is used by WinGate services to resolve DNS queries. This DNS resolver was written so that WinGate could gain access to all the information returned by DNS servers to DNS requests. This information contains data relating to how long DNS records may be stored before they become stale. This allows WinGate to provide an effective and correct DNS cache.

DNS caching can greatly speed up the user experience of things such as web browsing. By storing (caching) the results of previous DNS lookups, keeping track of the freshness of the information, and returning cached information to clients on subsequent requests, DNS traffic can also be greatly reduced.

Multiple simultaneous internet connections

You can use multiple Internet connections at the same time with WinGate, thereby increasing your system throughput. On a per-proxy basis in WinGate, you can specify multiple methods of using these multiple connections as well.

for instance you could:

• Specify that the WWW Proxy uses all your available internet connections
• Specify that another proxy uses only one of the connections, but if that becomes unavailable, to fail over to the next one

WinGate monitors connections for availability, including remote gateways, so even if your Internet connections go through another router or a device such as a DSL/NAT device, you can still keep track of it.

WinGate's gateway selection features also allows you to specify on a per service basis which gateway will be used, so if you had a combination of multiple DSL/NAT devices, network gateways, modems, etc, you could still specify which connections go through which gateway, even if they are on the same physical ethernet segment.

Bandwidth management / throttling

WinGate allows you to control the way your available bandwidth is able to be used. Certain application such as streaming media players, internet radios, and others can soak up a lot of your available bandwidth, making core services such as email or web browsing suffer a performance degradation. Furthermore, restricting bandwidth available to certain applications is an effective method of discouraging people from using certain applications (such as file-sharing or peer to peer programs) without having to completely ban them (which people can often circumvent anyway).

With WinGate's bandwidth control functions, you can control bandwidth on a number of criteria:

• Per client IP address, or range thereof
• per source or destination port
• Per time of day (so you can apply different restrictions at different times)

Additionally, you can specify restrictions in terms of absolute bandwidth, or as a proportion of available bandwidth.

The final control you have is scheduling priority. You can make certain services respond more quickly than others by giving a higher priority to the forwarding of packets related to that service