The best way is word of mouth. Failing that, the 2nd best way is to use a wingate scanner. You can scan whole subnets for wingates. A note: IP's in third world countries, the Middle East (except Israel), Africa, and on the @home network all have one thing in common: They all have wingates that are poorly configured and there are usually a few open wingates on their networks. Try scanning them 1st and foremost. Through Unix, the best way is: trial and error. telnet to the wingate through port 23, then leave the user name and password blank and if you get in, you've found one. You might also want to try username and/or password as: wingate. The best windows (32 bit) scanner I have used is: wGateScan v2.2

It is available on many different websites. I got it from this site, it has some other useful stuff on it too: http://www.hotmanscave.com/
http://www.cyberarmy.com/lists

To use it, all you have to do is to enter a range of IP address or a hostname. It will telnet to each host in the range through port 23 and will send a message saying "wingate" or something. If the host accepts this message then bingo ! You've found one and it keeps a list of all working open wingates, which you can save to a file or delete as needed.

Hope this helps. Latr,
Remote_Access_