Secure a Reverse Proxy

---

Problem:

The activity panel shows many connections from the Internet to the WWW Proxy service in WinGate when a reverse proxy has been configured.

Background:

By default, most proxy services in WinGate are bound only to the internal adapters and are therefore inaccessible from the Internet.  

In order to allow incoming connections from the Internet to a reverse proxy on the WinGate server, the WWW Proxy Service must be bound to an external adapter.  Binding to an external adapter makes the service available from the Internet.  If authentication is not required on the WWW Proxy service or if ProxyRequest and ConnectRequests are not controlled on the external adapter, then anyone on the Internet can use the WWW Proxy to browse the Internet, a state referred to as "Open proxy".

Resolution:

There are two options for securing the proxy.  One way is to allow only authenticated connections to the proxy.  This can be done in either Web Access Control or through the flow-chart policy.

The other option is to deny ProxyRequest and ConnectRequest connections to the proxy, as follows:

1. Go to Control Panel::Services and select Install service to create a new WWW proxy service, name it reverse proxy.
2. Edit the binding policy on the Bindings tab so that the service is only bound to your external interfaces.
3. Configure your reverse proxy settings on the Web Server tab.
4. Select the Events tab and double click ProxyRequest.
5. 
6. Click Add to add a new event, choose Policy and click OK.
7. 
8. Select "Create a new policy for this event", click Next. 
9.  
10. Name the policy, click Next, click Finish.  The flow-chart policy builder will open.
11. 
12. Drag the reverse Proxy Serivce: ProxyRequest element into the policy builder.  Drag a result onto the policy builder and set the result to "reject".  Connect the policy elements and save the policy.
13. Repeat the steps for a new policy using the ConnectRequest event type
14. 
15. Connect the flow-chart policy elements and save the policy

You now have two policies that control the ProxyRequest and ConnectRequest events that are made to the reverse proxy.  This will reject any proxy requests to the reverse proxy and you should no longer see a large number of proxy requests from the Internet.