IISGate
     Home
     Features
     Live demo
     Download
     Purchase
     Developers
     Get news
     Contact
     Support
     Tutorial
     ASP code
     Banners

Listed on:
download.com
softpedia.com
codango.com
tucows.com
& more others...

© 2002-2008
BluWaySoft
All rights reserved

 Click on each tutorial topic, in sequence, to learn all about IISGate:

>Protect a directory
>Add a user
>Add a group of users
>Global settings

Protect a directory:
You can grant access to a local or remote (file server) directory (shared on your IIS web server) only to a user or a restricted group of users.
To make this, push the "Add" button on "Protected directories" tab, browse for a directory and push "Done".
If you are on a remote computer, type the full path of the directory on drive of the target machine.
The protected directory, and all its subdirectories, are automatically protected with the same policies.


Screenshot

1.In the "General" tab, you can choose to filter the client HTTP request before the basic or cookie authentication. The purpose of filters is to grant or deny access to protected resource according to the client IP address, the client "user-agent" or the client "referrer". Only if you enabled the filter you can access to its settings.
 2.If the client HTTP request pass through the filters, than IISGate check for user credentials. If no credentials are supplied or if they are invalid, the access to protected resource will be denied. To handle the user credentials you can use the Basic or Cookie authentication method. The features are:
>Standard window-based Basic Authentication:
      Authentication without cookie, compatible with
      most browsers, expire with end of user session
      (closing browser). User and password credentials
      are encoded with Base64 encoding (encrypted with SSL).
>Custom web-based Cookie Authentication:
      User's browser must be set to accept cookies,
      compatible with most browsers,
      authentication can expire with user session
      (closing browser) or a set date.
      User and password credentials are encrypted with a 
      custom IISGate private key (more secure if 
      encrypted also with SSL).

NOTE: Cookie credentials are supply from browser for all wide site where they was validated. For example, if I have successfully provide my credentials to URL "http://www.iisgate.com/auth/", then the browser supplies login credentials for all wide site "http://www.iisgate.com/...".
The same for Basic authentications, if the protected directories in the same site, have the same "realm" description.


Screenshot

The IP filter grant or deny access to protected resources, according to the client IP address. You can add a new IP range address record pushing the "Add" button and putting the range like 192.168.0.0-192.168.0.255. Select the record that you want to modify or delete with the up/down arrows buttons.
You can customize the access denied message to the client, choosing between:
>HTML code - insert only the HTML code that appear between <body> </body> tags in a normal HTML document, moreover every link or path to file, must be an absolute URL "http://..."
>URL to a HTML/ASP/PHP file in Internet (every link or path inside the page file must be an absolute URL "http://...")
>Path to a static HTML file (ASP or PHP will aren't processed; for remote administrations, type the real path on the target machine).


Screenshot

The User-agent filter grant or deny access to protected resources, according to the client User-agent string. You can add a new User-agent record pushing the "Add" button. The User-agent strings are considered "no-case sensitive" and will be searched into the string passed from the client browser. Select the record that you want to modify or delete with the up/down arrows buttons.
You can customize the access denied message to the client, choosing between:
> HTML code - insert only the HTML code that appear between <body> </body> tags in a normal HTML document, moreover every link or path to file, must be an absolute URL "http://..."
>URL to a HTML/ASP/PHP file in Internet (every link or path inside the page file must be an absolute URL "http://...")
>Path to a static HTML file (ASP or PHP will aren't processed; for remote administrations, type the real path on the target machine).


Screenshot

The Referrer filter grant or deny access to protected resources, according to the client Referrer string. You can add a new Referrer record pushing the "Add" button. The Referrer strings are considered "no-case sensitive" and will be searched into the string passed from the client browser. Select the record that you want to modify or delete with the up/down arrows buttons.
You can customize the access denied message to the client, choosing between:
 > HTML code - insert only the HTML code that appear between <body> </body> tags in a normal HTML document, moreover every link or path to file, must be an absolute URL "http://..."
>URL to a HTML/ASP/PHP file in Internet (every link or path inside the page file must be an absolute URL "http://...")
>Path to a static HTML file (ASP or PHP will aren't processed; for remote administrations, type the real path on the target machine).


Screenshot

Push the buttons "Users" and "Groups" to select users and/or groups that you want grant access to protected directory.
If you have enable the ODBC database connection, push button "Users table" to select table that contain user/password pairs (see ahead). The "Realm description" appear on window-based authentication window. You can customize the access denied message to the client, choosing between:
> HTML code - insert only the HTML code that appear between <body> </body> tags in a normal HTML document, moreover every link or path to file, must be an absolute URL "http://..."
>URL to a HTML/ASP/PHP file in Internet (every link or path inside the page file must be an absolute URL "http://...")
>Path to a static HTML file (ASP or PHP will aren't processed; for remote administrations, type the real path on the target machine).


Screenshot

Push the buttons "Users" and "Groups" to select users and/or groups that you want grant access to protected directory.
If you have enable the ODBC database connection, push button "Users table" to select table that contain user/password pairs (see ahead). To work properly, the cookie authentication method, need the path of "login.asp" page (like http://[INTERNET_DOMAIN_OR_IP_ADR]/.../login.asp) . You can find more info on cookie authentication settings into file "Cookie_readme.txt" in "Cookie" directory.   

ONLY IF YOU HAVE ENABLED ODBC DATABASE CONNECTION IN THE GLOBAL PROPERTIES:
 Push button "Users table". If the program fail to retrieve database tables list, type manually the three controls.
Normally this is the window that will be displayed.

Screenshot

6. Select table of your database containing user/password pairs that will be granted access to current protected directory. Select now the table's column that contain usernames, and table's column that contain passwords.
7. Select "Use advanced settings" control for type manually table and columns name and/or add conditions to SQL command that retrieve passwords for granted users.
8. Push "View SQL command" button for view the SQL command resultant for settings. It will be used for retrieve user's password for authentication.
Push "Test settings/table content" button for test SQL command and to search for bad records in table.
Push "Edit users" button for view window below.


Screenshot

9. Push "Add" button to add user to table or "Delete" to delete users (select one or more users in list).

Add a user (ODBC database connection disabled):
Push Add button on "Users" tab, than type user name and push "OK".

Screenshot

1. Check this control for disabling user account without delete it.
2. Display the user name that you are editing.
3. Display of whose groups the user is member.
4. Type the password in this control (case sensitive).
5. Type the overall account expire data of user (format dd/mm/yy).
6. Type the URL redirection, used for redirection directories, that redir user after authentication (format http://...).
7. Type a free user description.
8. Type the user email. This can be used to send the forgotten password.
9. Check this control if you want that user account expire after h:min, after first successful login
      (push reset button to grant access to user after expire).

Add a group of users (ODBC database connection disabled):
Push "Add" button on "Groups" tab, than type group name and push "OK".

Screenshot

1. Select, with the arrows, the users that are inside/outside group. Push "OK" to confirm changes.

Global settings:
Follow menu "Edit>Global property..." to open IISGate global settings window.

Screenshot

1. To enable an ODBC external database connection, select this control. This feature required MDAC 2.0 or greater on your system. MDAC version you own is the version of "msdadc.dll" installed on your PC. Download latest MDAC version at http://www.microsoft.com/data/. Push button "Database connection Wizard" or type directly your ODBC source name to establish a connection on existing database. Database must contain table(s) with username/password pairs (and other columns if you want). The name of these tables, no must contain space or other special characters. The same for columns names that contain username/password pairs. Usernames lengths must be 1 to max 40 characters. Passwords length must be 0 to max 40 characters (set 'yes' for 'blank' value). After successful connection, every protect directory must be set to work with one table built as above mentioned.

If you enable database connection some feature will be disabled:
1) Redirection directories.
2) Auto disable user after concurrent login event...
3) Users and groups build with standard feature will be no more available.

The database connection settings (ODBC source name, more the advanced settings) are shared from IISGate admin program and IISGate ISAPI filter (loaded into IIS WWW publishing service). The only setting that isn't shared, but is only used from IIS WWW publishing service, is the "Impersonate NT user..." into advanced settings. If you have troubles during database connection using admin program, try to login into Windows with an NT account that have granted privileges to database file.
The admin program uses ODBC connection settings for:
1) Test database connection during wizard.
2) Retrieve tables names during setting protected directory property.
3) When you want view or edit granted users table.
4) When you want test settings and tables content for every protected directory.
The IIS WWW publishing service uses ODBC connection settings for:
1) Retrieve granted users during authentication.
NOTE:
If you have Windows XP or Windows 2003 server and your database file is on another computer in your LAN, in your ODBC connection property, set the path of the database using UNC format (\\servername\...\file.xxx). Do not map a network drive. If you have a database Access file, open the registry to [HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\name_of_your_ODBC_connection]
and in "DBQ" key, type the UNC path for reach your database file. The same for "DefaultDir" key.

If your database connection needs to set a login ID or to impersonate a NT account, than push "Advanced..." button.

Click on "Disable cache..." control to disable cache and retrieve user's information directly and always in table (in this way you have always fresh information of your users).
Push "Cleaning cache..." button for view window below.

Screenshot

2. You can choose one of three different type of cleaning cache:
*loop timer in minute
*Every hour to a fix minute
*One time to day to a fix hour:minute

Screenshot

3.Check control "Enable attack protection" to protect your site against malicious users.
Clients not authenticated after X number of bad login in Y seconds are blocked for Z minute:
If event occur, than client IP is blocked and advertising HTML message is displayed for set minute.
You can choose between set and edit directly the HTML code (insert only HTML code that appear between <body> </body> tags in a normal HTML document, moreover every link or path to file must be an absolute URL "http://...") or give a URL (link) to a file (every link or path inside the page file must be an absolute URL "http://...").


Screenshot

4.Check control "Concurrent login" to manage this event type.
If a user account is used by more that one computer at the same time, you can choose for disabling user account and/or display advertising HTML message to clients for h:min after event occurring.
More, you can choose between set and edit directly the HTML code (insert only HTML code that appear between <body> </body> tags in a normal HTML document, moreover every link or path to file must be an absolute URL "http://...") or give a URL (link) to a file (every link or path inside the page file must be an absolute URL "http://...").
For most applications you must enable "IP address..." control to prevent false concurrent login events with users that access to Internet with provider that use proxy servers. A typical example is AOL. If you disable this control, request from the same browser can appear to come from different IP addresses. For default set this IP address interval:
152.163.188.0-152.163.188.255
152.163.189.0-152.163.189.255
152.163.195.0-152.163.195.255
152.163.197.0-152.163.197.255
152.163.213.0-152.163.213.255

 Screenshot

5.You can choose where IISGate events are logged, if into a standard text file (you can set where to place) and/or into Windows NT/2000/2003 event log service and/or sending email.
Check control "E-mail alert" for sending events to an email account.
Set parameters:
     "To:" > email address in format x@y.z where will be sent the event alert
     "From:" > email address in format x@y.z that identify sender (not critical)
     "Subject:" > subject viewed into email
     "SMTP server" > your SMTP server name that sends email

 Screenshot

6.A "Redirection" directory is a special protected directory that you can use to create, into your site, a single point of authentication for all your users. A user, successfully authenticated into a redirection directory, is automatically redirected to its custom protected directory. This feature is disabled if you have enabled the ODBC database connection, in the global properties.  

Screenshot

7.Check control "Enable FrontPage" only if you need to edit FrontPage web sites into a protected directory. Don't enable this feature if not necessary.
8.Set the minimum password length for all new users. The users created or modified after to have set this control, must follow this policy.

Screenshot

9.Normally you can leave the control "Enable shared memory between process" enabled (default). Disable this control if IISGate reports "CreateFileMapping" or "MapViewOfFile" errors into logs or you don't want to share memory between process. In order to apply a changing to this parameter, stop and re-start "IIS admin service".
10.Push the button to generate a new encryption key used to encrypt users credentials for cookie authentications. If a user is still logged with an old encryption key it will be logged out.

Copyright © 2002-2008 BluWaySoft. All rights reserved