Kerio Tech Firewall6 Administrator'S Manual Download

Page: 84 / 404

Chapter 7

Traffic Policy

are let in. This translation method guarantees high security — the firewall will not let in any

packet which is not a response to the sent request.

However, many applications (especially applications working with multimedia, Voice over IP

technologies, etc.) use another traffic method where other clients can (with direct connection

established) connect to a port “opened” by an outgoing packet. Therefore,

WinRoute

supports

also the

Full cone NAT

mode where the described restrictions are not applied for incoming

packets. The port then lets in incoming packets with any source IP address and port. This

translation method allows running of applications in the private network that would either

work only partially or they would not work at all.

For example of using of

Full cone NAT

for VoIP applications, refer to chapter

7.8

Warning

Use of

Full cone NAT

brings certain security threats — the port opened by outgoing connection

can be accessed without any restrictions being applied. For this reason, it is recommended to

enable

Full cone NAT

only for a specific service (i.e. to create a special rule for this purpose).

By any means do not allow Full cone NAT in the general rule for traffic from the local network

to the Internet

Such rule would significantly decrease security of the local network.

Note:

Older versions of

WinRoute

(to version

6.3.1

incl.) used so called

Symmetric NAT

where

each outgoing connection on the firewall was assigned a new source port from the reserved

range. For this reason, since

6.4.0 WinRoute

includes significantly improved support for

VoIP and multimedia applications than the previous versions even without using special

traffic rules. Both methods have the same security level — they differ only in method of

assigning source ports on the firewall.

The method of IP address translation having been used since version

6.4.0

(i.e.

Port re-

stricted cone NAT

) allows also using of the

IPSec

protocol. Special support for IPSec in-

cluded in older versions of

WinRoute

is not needed any longer.

Destination NAT (port mapping):

Destination address translation (also called port mapping) is used to allow access to services

hosted in private local networks behind the firewall. All incoming packets that meet defined

rules are re-directed to a defined host (destination address is changed). This actually “moves”

to the Internet interface of the

WinRoute

host (i.e. IP address it is mapped from). From the

client’s point of view, the service is running on the IP address from which it is mapped (usually

on the firewall’s IP address).

Options for destination NAT (port mapping):

Typically the

NAT

rule created by the

Traffic policy wizard

— see chapter

7.1

Summary of Contents for Firewall6

Page 1: ...Kerio WinRoute Firewall 6 Administrator s Guide Kerio Technologies...

Page 2: ...description on the Kerio WinRoute Firewall version 6 5 1 Improved version All additional modifications and updates reserved For current product version check http www kerio com kwfdwn Information rega...

Page 3: ...e product in the Administration Console 32 4 4 Product registration at the website 40 4 5 Subscription Update Expiration 40 4 6 User counter 42 5 Network interfaces 44 6 Internet Connection 49 6 1 Per...

Page 4: ...1 11 2 User logon and logout 146 11 3 Status information and user statistics 149 11 4 User preferences 150 11 5 Dial up 153 12 HTTP and FTP filtering 154 12 1 Conditions for HTTP and FTP filtering 155...

Page 5: ...ay UPnP 236 18 3 Relay SMTP server 238 19 Status Information 240 19 1 Active hosts and connected users 240 19 2 Network connections overview 247 19 3 Alerts 251 20 Basic statistics 256 20 1 Volume of...

Page 6: ...of Kerio VPN configuration company with a filial office 323 23 6 Example of a more complex Kerio VPN configuration 337 24 Kerio Clientless SSL VPN 363 24 1 Configuration of WinRoute s SSL VPN 363 24 2...

Page 7: ...tionality of the Internet connection and of traffic among hosts within the local network before you run the WinRoute installation This test will reduce possible problems with debugging and error detec...

Page 8: ...nts Automatic configuration activate the Obtain an IP address automatically option Do not set any other parameters Manual configuration define IP address subnet mask default gateway address DNS server...

Page 9: ...tab All the security settings within WinRoute are managed through so called traffic policy rules These provide effective network protection from external attacks as well as easy access to all the serv...

Page 10: ...nother host within the local network or the Internet Communication between WinRoute and the administration console is encrypted and thus protected from being tapped or misused Various Operating System...

Page 11: ...while detailed statistics can be found in the firewall s web interface Kerio VPN proprietary VPN server and client WinRoute also provides a proprietary VPN solution which can be applied to the server...

Page 12: ...from vendor to vendor Under proper circumstances use of the VPN solution included in WinRoute is recommended for details see chapter 23 Otherwise we recommend you to test a particular VPN server or V...

Page 13: ...ntivirus check If WinRoute uses an antivirus to check objects downloaded via HTTP or FTP protocols see chapter 13 3 the cache directory can be excluded with no risk files in this directory have alread...

Page 14: ...nstallation package file kerio kwf admin exe is de signed for remote administration from another host This package is identical both for 32 bit and 64 bit Windows systems For details on WinRoute admin...

Page 15: ...e user interface can then be set separately for individual WinRoute components In the installation wizard you can choose either Full or Custom installation Cstom mode will let you select optional comp...

Page 16: ...rogram does not allow to install the Administration Console separately Installation of the Administration Console for the remote administration requires a sepa rate installation package file kerio kwf...

Page 17: ...XP Windows Server 2003 Windows Vista and Windows Server 2008 operating systems However these services collide with the UPnP support in WinRoute refer to chapter 18 2 The WinRoute installation include...

Page 18: ...enter automatically This implies that the Security Center always indicates firewall status correctly and it does not display warn ings informing that the system is not protected 2 4 WinRoute Component...

Page 19: ...guidance for Kerio Administration Console is provided in Kerio Administration Console Help http www kerio com kwf manual 2 5 WinRoute Engine Monitor WinRoute Engine Monitor is a standalone utility use...

Page 20: ...version a notification is displayed 7 days before its expiration This information is displayed until the expiration 2 WinRoute Engine Monitor is available in English only 2 6 Upgrade and Uninstallati...

Page 21: ...ed Keeping these files may be helpful for copying of the configuration to another host or if it is not sure whether the SSL certificates were issued by a trustworthy certification authority During uni...

Page 22: ...ered in the dialog for account settings Name Admin can be changed in the Username edit box Note If the installation is running as an upgrade this step is skipped since the administrator account alread...

Page 23: ...nfiguration Allowing remote administration Enable remote access This option enables full access to the WinRoute computer from a selected IP address Remote IP address IP address of the computer from wh...

Page 24: ...erio com kwf manual The following chapters of this guide provide descriptions on individual sections of the WinRoute administration dialog window which is opened upon a successful login to the WinRout...

Page 25: ...WinRoute at multiple servers For details refer to the Help section in the Administration Console manual Note The New Connection option opens the same dialog as running the Adminis tration Console from...

Page 26: ...er host see Kerio Administration Console Help Administrator s guide this option displays the administrator s guide in HTML Help format For details about help files see Kerio Administration Console Hel...

Page 27: ...e saved Reconnect connection to the server will be recovered without saving any changes performed in the particular section of the console before the disconnection If the reconnection attempt fails on...

Page 28: ...estore default settings for better reference only columns providing the most important information are displayed by default The arrow buttons move the selected column up and down within the list This...

Page 29: ...tion with a valid license number received as a response to purchase of the product WinRoute is available with full functionality Note If your license key gets lost for any reason e g after the harddis...

Page 30: ...t up to date infor mation about individual licenses subscription extensions etc Deciding on a number of users licenses WinRoute s license key includes information about maximal number of users allowed...

Page 31: ...em Name of the operating system on which the WinRoute Firewall Engine service is running License ID License number or a special license name Subscription expiration date Date until when the product ca...

Page 32: ...chapter 16 2 the A new version is available click here for details notice is displayed whenever a new version is available Click on the link to open the dialog where the new version can be downloaded...

Page 33: ...ion about the trial version user person company It is also necessary that the user accepts the Privacy Policy Terms Otherwise the information cannot be stored in the Kerio Technologies database Use th...

Page 34: ...er information 4 The fourth page provides the information summary If any information is incorrect use the Back button to browse to a corresponding page and correct the data 5 The last page of the wiza...

Page 35: ...e language set in the Administration Console where confirmation of the registration is demanded is sent to the email address specified on the page two of the wizard Click on the link in the email mess...

Page 36: ...l components and subscriptions The page also includes any license numbers as sociated with the basic product that have already been registered Click on Add to add purchased license numbers Each number...

Page 37: ...4 3 Registration of the product in the Administration Console 37 Figure 4 8 Product registration license numbers of additional components add ons and subscription...

Page 38: ...s tions have already been answered the page is skipped and the registration process con sists of four steps only 5 The last page provides the information summary If any information is incorrect use th...

Page 39: ...4 3 Registration of the product in the Administration Console 39 Figure 4 10 Product registration other information Figure 4 11 Product registration summary...

Page 40: ...onsole welcome page This method can also be used for remote installation of the license key the license key file must be saved on the disk of the host from which the remote installation is performed B...

Page 41: ...e or any of its components stops functioning or WinRoute or McAfee subscription expires The information is also stopped being displayed immediately after the registration of the subscription or a lice...

Page 42: ...troubleshooting License policy must be borne in mind when deciding for a license purchase see chapter 4 1 The license counter works as follows Start WinRoute Upon WinRoute is started the table of cli...

Page 43: ...sts handled by DNS Forwarder Warning If clients use a DNS server located outside the local network such communication is considered as communication with the Internet DHCP traffic using either the Win...

Page 44: ...iguration Inter faces Figure 5 1 Network interfaces Groups of interfaces To simplify the firewall s configuration and make it as comfortable as possible network inter faces are sorted in groups in Win...

Page 45: ...g VPN server and VPN tunnels cannot be moved from the VPN interfaces group To move an interface to another group drag it by mouse to the desired destination group or select the group in properties of...

Page 46: ...ed interface does not support a certain function appropriate buttons will be inactive Add VPN Tunnel Use this option to create a new server to server VPN tunnel Details on the proprietary Kerio VPN so...

Page 47: ...cords related to network cards or dial ups that do not exist any longer those that have been removed do not affect WinRoute s functionality such interfaces are con sidered as inactive as in case of a...

Page 48: ...ured or removed If you do not consider RAS clients as parts of trustworthy networks for any reason you can move the Dial In interface to Other interfaces Note 1 If both RAS server and WinRoute are use...

Page 49: ...et connection is an issue and two Internet links are available the connection failover feature can help If the primary link fails WinRoute switches to the secondary link automatically Users may theref...

Page 50: ...plied by the ISP provider or they can be configured automatically with the DHCP protocol It is also possible to use a dial like link which can be connected persistently such as PPPoE connections or CD...

Page 51: ...net interface where the default gateway is set is offered Therefore in most cases the appropriate adapter is already set within this step 2 If the more IP addresses are set for the interface the prima...

Page 52: ...rface planned for DMZ you can move the particular interface to Other Interfaces For these interfaces it will be necessary to define corresponding traffic rules manually see chapter 7 3 It is also poss...

Page 53: ...eated in the operating system It is not necessary to define and save login data in the dial up settings this information can be defined directly in WinRoute This connection type also requires one or m...

Page 54: ...d edited if desirable The Internet Interfaces group includes only the Dial up connection link selected in the third page of the wizard This connection is set up as a dial on demand link see informatio...

Page 55: ...ce of the default gateway if no route exist in the routing table where a packet would be directed WinRoute create a default gateway by dialing an Internet link Dialing options For dial ups the interfa...

Page 56: ...over the other In times outside the defined ranges the link is dialed on demand Note 1 If a static route over a dial up is defined in WinRoute s routing table this link will be dialed whenever a pack...

Page 57: ...comfortable and in certain cases even increase connection costs Note In the time interval where persistent connection of the link is set see above the idleness timeout is ignored Dialing scripts In so...

Page 58: ...established automatically Requirements The computer hosting WinRoute must have two network interfaces for Internet connection a leased line Ethernet WiFi or a dial up with persistent connection CDMA P...

Page 59: ...network card or a persistently connected dial up Failing that the sec ondary connection would be activated upon each hang up of the primary link automatically Configuration with the wizard On the sec...

Page 60: ...f a leased link by a dial up Resulting interface configuration When you finish set up in Traffic Policy Wizard the resulting configuration can be viewed under Configuration Interfaces and edited if de...

Page 61: ...nternet interfaces for primary and secondary connection links only To change settings of primary and secondary connection use corresponding options in the interface edit dialog see chapter 5 or use th...

Page 62: ...e of failure of one of the lines the traffic is routed via another Note 1 Network load balancing is applied only to outbound traffic via the default route If the routing table see chapter 18 1 defines...

Page 63: ...r a dial up test the leased link connection first and then dial the other one Dialing of the link opens creates a new default route via this link which allows us to test Internet connection on the sec...

Page 64: ...s the ratio of speed between individual links it determines how Internet traffic will be divided among these links If login data for the selected telephone connections are not saved in the operating s...

Page 65: ...her connection on this Internet link is working and part of Internet traffic can be routed through it Other interfaces including Dial In are considered as segments of the LAN and put in Trusted Local...

Page 66: ...sible to specify IP addresses of other one or more testing computers upon clicking on Advanced If at least one of the tested devices is available the Internet connection in question is considered as f...

Page 67: ...traffic rules and later customize them as desired Advanced administrators can create all the rules according to their specific needs without using the wizard 7 1 Network Rules Wizard The network rule...

Page 68: ...nk with connection failover or multiple links with net work traffic load balancing On the third page you can set parameters for the selected type of Internet connection Individual options of Internet...

Page 69: ...n be allowed by modification of NAT traffic rules for LAN hosts or Firewall traffic rules for the firewall or by adding custom rules For details see chapter 7 3 Step 5 enabling Kerio VPN traffic To us...

Page 70: ...the Internet is running on the WinRoute host or another host within the local network define it in this dialog Figure 7 4 Network Policy Wizard enabling local services Note If creating of rules for Ke...

Page 71: ...ay of the host otherwise the service will not be available Service Selection of a service to be enabled The service must be defined in Configurations Defi nitions Services formerly see chapter 14 3 Ma...

Page 72: ...face of the firewall i e the interface connected to the Internet page 3 Note Since WinRoute 6 4 0 mapped services can be accessed also from local networks it is therefore not necessary to use another...

Page 73: ...onfiguration It is not necessary to change this rule whenever a new segment of the LAN is connected or Internet connection is changed By default the Trusted Local interfaces group includes also a Dial...

Page 74: ...the list is key The order of the rules can be changed with the two arrow buttons on the right side of the window An explicit rule denying all traffic is shown at the end of the list This rule cannot b...

Page 75: ...text describing the particular rule may be used to specify the Description entry up to 1024 characters If the description is specified the bubble symbol is displayed in the Name column next to the rul...

Page 76: ...entioned above we recommend you to specify source and destination computers only through IP addresses in case that you are connected to the Internet through a dial up IP range e g 192 168 1 10 192 168...

Page 77: ...unnel in the source destination address definition 1 Incoming VPN connections VPN clients all VPN clients connected to the WinRoute VPN server via the Kerio VPN Client 2 VPN tunnel network connected t...

Page 78: ...the firewall authentication page If users use each various hosts to connect from IP addresses of all these hosts must be considered 2 If user accounts or groups are used as a source in the Internet a...

Page 79: ...groups see chapter 15 are removed The Nothing value is automatically used for all Source Desti nation or and Service items of rules where a removed interface or a user account a group or a service has...

Page 80: ...ocol inspector for a certain service in WinRoute it is applied to all corre sponding traffic automatically If desired to bypass the protocol inspector for certain traffic it is necessary to define thi...

Page 81: ...urce address translation is used in traffic rules applied to traffic from the local private network to the Internet In other rules traffic between the local network and the firewall between the firewa...

Page 82: ...d dialing or connection failover these options have no effect on WinRoute s functionality Hint For maximal efficiency of the connection s capacity it is possible to combine both load balancing methods...

Page 83: ...T with specific IP address Full cone NAT For all NAT methods it is possible to set mode of allowing of incoming packets coming from any address so called Full cone NAT If this option is off WinRoute p...

Page 84: ...ernet4 Such rule would significantly decrease security of the local network Note 1 Older versions of WinRoute to version 6 3 1 incl used so called Symmetric NAT where each outgoing connection on the f...

Page 85: ...t recorded in the local DNS since rule is not applied until a corresponding IP address is found This might cause temporary malfunction of the mapped service Translate port to during the process of IP...

Page 86: ...lt settings of the Traffic Policy window for details on showing and hiding columns see chapter 3 2 Valid on Time interval within which the rule will be valid Apart from this interval WinRoute ignores...

Page 87: ...affic policy provides a range of network traffic filtering options In this chapter you will find some rules used to manage standard configurations Using these examples you can easily create a set of r...

Page 88: ...tion option should be set in the Destination address translation section otherwise the rule might not function Combining source and destination IP address translation is relevant under special conditi...

Page 89: ...Allow option otherwise all traffic will be blocked and the function of port mapping will be irrelevant Translation In the Destination NAT Port Mapping section select the Translate to IP address option...

Page 90: ...interface connected to the Internet uses two public IP addresses 63 157 211 10 and 63 157 211 11 We want the server web1 to be available from the Internet at the IP address 63 157 211 10 the server w...

Page 91: ...lation rule in the Service entry specify only those services that are intended to be allowed Figure 7 25 Internet connection sharing only selected services are available 2 Limitations sorted by IP add...

Page 92: ...a user group can be allowed to access certain Internet services only 2 Usage of user accounts and groups in traffic policy follows specific rules For detailed description on this topic refer to chapte...

Page 93: ...tions in traffic rules for Internet access with IP address translation NAT This approach brings wide range of options helping to meet all requirements for routing and network load balancing Note Polic...

Page 94: ...the link for traffic with a specific server see figure 7 32 Figure 7 32 Policy routing a link reserved for a specific server Note In the second rule automatic interface selection is used This means t...

Page 95: ...ther services load balancing per connection will be applied thus maximally efficient use of the capacity of available links will be reached Meeting of the requirements will be guaranteed by using two...

Page 96: ...he reason is that the automatic authentication or redirection to the login page is not invoked unless connection to the Internet is being established for license counting reasons see chapter 4 6 Howev...

Page 97: ...esses and a traffic rule for this service that will define explicitly that no protocol inspector will be used Example A banking application client communicates with the bank s server through its prope...

Page 98: ...traffic method where other clients can with direct connection established connect to a port opened by an outgoing packet For these cases WinRoute includes a special mode of address translation known...

Page 99: ...iginal outgoing connection for the registration was established However use of Full cone NAT allows such connection for any client calling to the SIP telephone in the local network Full cone NAT will...

Page 100: ...the Internet The parameters may be as follows IP addresses of the phones 192 168 1 100 and 192 168 1 101 Public IP address of the firewall 195 192 33 1 SIP server sip server com For the telephones de...

Page 101: ...tween the local network and the Internet being allowed be fore processed by the firewall packets use a local source address and an Internet destina tion address i e this is an outgoing traffic from th...

Page 102: ...ddress of the primary or the back up DNS server This solution has the risk of slow DNS responses All requests from each computer in the local network will be sent to the Internet use the DNS server wi...

Page 103: ...the service uses UDP protocol and port 53 If DNS Forwarder is not used for your network configuration it can be switched off If you want to run another DNS server on the same host DNS Forwarder must...

Page 104: ...Internet directly this will speed up the response DNS forwarder s settings also play role in configuration of private networks where it is necessary to provide correct forwarding of requests for name...

Page 105: ...ould be ordered starting by the most specific one e g name of a particular computer and with the most general one at the bottom e g the main domain of the company Similarly to this rules for reversed...

Page 106: ...ery alternative to specify rule for DNS queries on IP addresses in a particular subnet Subnet is specified by a network address and a corresponding mask i e 192 168 1 0 255 255 255 0 Use the Then forw...

Page 107: ...P lease tables and find out which IP address has been assigned to the host name If asked to inform about the local name of the host DNS Forwarder will always respond with the current IP address Note I...

Page 108: ...ress with appropriate subnet mask and other optional parameters such as IP address of the default gateway addresses of DNS servers domain name etc for the client stations All client parameters can be...

Page 109: ...wo parts in one address scopes and in the other reservations are defined Figure 8 5 DHCP server IP scopes In the Item column you can find subnets where scopes of IP addresses are defined The IP subnet...

Page 110: ...with a complete list of advanced parameters sup ported by DHCP including the four mentioned above Any parameter supported by DHCP can be added and its value can be set within this dialog Default param...

Page 111: ...belong to the subnet defined by the mask If this requirement is not met an error will be reported after the confirmation with the OK button Lease time Time for which an IP address is assigned to clien...

Page 112: ...assigned IP address of the interface the network is connected to Default gateway of another network would be useless not available to clients DNS server any DNS server or more DNS servers separated wi...

Page 113: ...ddress Scope tab Each scope is described with the following items total number of addresses within this scope number and percentage proportion of leases number and percentage proportion of free addres...

Page 114: ...ls i e with the ipconfig command or with a special application provided by the net work adapter manufacturer host name DHCP requests of most DHCP clients include host names i e all Windows operating s...

Page 115: ...ddress leased IP address Lease Expiration date and time specifying expiration of the appropriate lease MAC Address hardware address of the host that the IP address is assigned to in cluding name of th...

Page 116: ...currently assigned to The Scopes tab with a dialog where the appropriate address can be leased will be opened automatically All entries except for the Description item will be already defined with ap...

Page 117: ...d users has been exceeded see chapter 4 6 This implies that repeated connection of RAS clients may cause exceeding of the num ber of licensed users if the IP scope for the RAS service is too large or...

Page 118: ...us allows making mapped services always available under the same server name regardless of the fact if IP address changes and how often How cooperation with dynamic DNS works Dynamic DNS DDNS is a ser...

Page 119: ...quest for update of DNS records with name company com This requests starts update of DNS records of both names DDNS configuration in WinRoute To set cooperation with the dynamic DNS server go to the D...

Page 120: ...can forward all queries to so called parent proxy server 2 Internet connection is performed via a dial up and access to certain Web pages is blocked refer to chapter 12 2 If a direct connection is use...

Page 121: ...y 3128 port is set by the default Warning If you use a port number that is already used by another service or application WinRoute will accept this port however the proxy server will not be able to ru...

Page 122: ...te The name and password for authentication to the parent proxy server is sent with each HTTP request Only Basic authentication is supported The Forward to parent proxy server option specifies how Win...

Page 123: ...articular objects will be performed upon a new request of the page The required object will be found in cache unless the TTL timeout has expired If it has expired a check for a new update of the objec...

Page 124: ...removed automatically Cache size Size of the cache file on the disk Maximal cache size allowed is 2 GB 2047 MB Note 1 If 98 per cent of the cache is full a so called cleaning will be run this functio...

Page 125: ...ccelerates connection to redirected web pages Under usual circumstances 302 Redirect responses are not cached HTTP proto col s return code 302 stands for temporary redirection such redirection can be...

Page 126: ...ject or shorten its TTL i e for pages that are accessed daily Use the URL specific settings button to open a dialog where TTL for a particular URL can be defined Figure 8 17 HTTP cache specific settin...

Page 127: ...l number of queries since the startup of the WinRoute Firewall Engine The efficiency of the cache depends especially on user behavior and habits if users visit certain webpages regularly if any websit...

Page 128: ...object its size in bytes B and number of hours representing time left to the expiration To keep the list simple and well organized up to 100 items are displayed at a single page The Previous and Next...

Page 129: ...8 5 HTTP cache 129...

Page 130: ...r the other traffic where big data volumes are not transmitted but where for example response time may play a role 9 1 How the bandwidth limiter works and how to use it The Bandwidth Limiter module pr...

Page 131: ...while ISPs usually use kilobits per second kbps kbit s or kb s or in megabits per second Mbps Mbit s or Mb s The conversion pattern is 1 KB s 8 kbit s A 256 kbit s line s speed is 32 KB s a 1 Mbit s...

Page 132: ...details see chapter 15 1 Advanced Options Click on Advanced to define advanced Bandwidth Limiter parameters These parameters ap ply only to large data volume transfers They do not apply to users with...

Page 133: ...ection of network services IP Addresses and Time Interval It may be also helpful to apply bandwidth limiter only to certain hosts for example it may be undesired to limit a mailserver in the local net...

Page 134: ...ved in a connection belongs to the address group The other traffic will not be limited Apply to all except the selected address group the bandwidth limiter will not be applied if at least one IP addre...

Page 135: ...er certain amount of data objects included at the page and then closes the connections Terminal services e g Telnet SSH etc typically use an open connection to transfer small data volumes in longer in...

Page 136: ...data volume transfer since after 150 KB of data have been transferred before an only 5 sec long idleness interval and then only other 150 KB of data have been transmitted within the connection Figure...

Page 137: ...n WinRoute can authenticate at the firewall regardless their access rights Users can connect Manually by opening the WinRoute web interface in their browser https server 4081 or http server 4080 the n...

Page 138: ...he browser WinRoute detects whether the user has already authenticated If not WinRoute will re direct the user to the login page automatically After a successful login the user is automatically re dir...

Page 139: ...trix Presentation Server orFast user switching on Windows XP Windows Server 2003 Windows Vista and Windows Server 2008 the firewall requires authentica tion only from the user who starts to work on th...

Page 140: ...nutes of allowed user inactivity When this period ex pires the user is automatically logged out from the firewall The default timeout value is 120 minutes 2 hours This situation often comes up when a...

Page 141: ...references avail able to all users Statistics viewed in the web interface available only to users possessing appropriate rights are addressed in chapter 21 11 1 Web Interface Parameters Configuration...

Page 142: ...lso used in case that WinRoute needs redirect the browser to the login page for example if an unauthenticated user attempts to open a web page where authentication is required see chapters 10 1 and 12...

Page 143: ...n URLs for pages of the Web interfaces However the standard HTTPS port 443 uses the Clientless SSL VPN interface see chapter 24 Therefore it cannot be used for secured web interface in the default con...

Page 144: ...is key is then used for encryption and decipher any other traffic Generate or Import Certificate During WinRoute installation a testing certificate for the SSL secured Web interface is created automat...

Page 145: ...icate ensures your clients security as it is unique and the identity of your server is guaranteed by it Clients will be warned only about the fact that the certificate was not issued by a trustworthy...

Page 146: ...d for access to the WinRoute s web interface Any user with their own account in WinRoute can authenticate to the web interface regardless their access rights Note Authentication at the web interface i...

Page 147: ...e overall tab for details see chapter 21 The My Account option available at the upper right corner can be used to switch to the user settings It is possible to return to the statistics page by the Sta...

Page 148: ...ch conditions a special version of the login page is opened Figure 11 6 User authentication by password Authenticated user connecting to the web interface can continue their work in the interface afte...

Page 149: ...5 1 information on usage of individual quotas percentage is also provided here Hint Week and month starting days can be changed in accounting period settings see chap ter 21 2 Figure 11 7 Transfer Quo...

Page 150: ...be available it will not be blocked by the firewall If a certain feature is disabled in the parameters of a user account see chapter 15 1 a corresponding item within this page is inactive user cannot...

Page 151: ...this item does not match the required server name Cross domain referer blocking protects users privacy the Referer item can be monitored to determine which pages are opened by a user Save settings To...

Page 152: ...b Interface Language Preferences WinRoute s Web Interface is available in various languages In lower section of the Preferences tab it is possible to set language for the web interface Figure 11 11 Se...

Page 153: ...for details see chapter 5 Figure 11 12 Web interface dial ups control The following information items are provided for each line RAS interface name of the interface in WinRoute see chapter 5 Current s...

Page 154: ...ng access limitations according to URL substrings contained in URL addresses blocking of certain HTML items i e scripts ActiveX objects etc filtering based on classification by the ISS OrangeWeb Filte...

Page 155: ...d FTP rules are applied also when the WinRoute s proxy server is used then condition 1 is irrelevant However FTP protocol cannot be filtered if the parent proxy server is used for details see chapter...

Page 156: ...l information will be displayed Drop access will be denied and a blank page will be opened Redirect user will be redirected to the page specified in the rule Condition condition which must be met to a...

Page 157: ...ect which users this rule will be applied on any user for all users no authentication required selected user s for selected users or and user groups who have authenticated to the firewall Note 1 It is...

Page 158: ...a URL group refer to chapter 14 4 which the URL should match with is rated by ISS OrangeWeb Filter rating system the rule will be applied on all pages matched with a selected category by the ISS Oran...

Page 159: ...group Selection of IP address group on which the rule will be applied Client source addresses are considered Use the Any option to make the rule independent of clients Click on the Edit button to edit...

Page 160: ...ags are allowed in the restriction text If the plaintext format is not sufficient it is recommended to use redirection to another page see below A blank page user will not be informed why access to th...

Page 161: ...odule can be set Use the Enable HTTP Log and Enable Web Log options to enable disable logging of HTTP queries opened web pages to the HTTP log see chapter 22 10 and to the Web log refer to chapter 22...

Page 162: ...ngs on the WWW content scanning options tab are applied to traffic of hosts where users are not authenticated Special settings are used for users connected through the firewall Each authenticated user...

Page 163: ...ge content Each page is sorted into predefined categories Access to the page will be either permitted or denied according to this classification ISS OrangeWeb Filter uses a dynamic worldwide database...

Page 164: ...et and configured through the ISS OrangeWeb Filter tab in Configuration Content Filtering HTTP Policy Enable ISS OrangeWeb Filter use this option to enable disable the ISS OrangeWeb Filter module for...

Page 165: ...acters even zero a ker o question mark represents just one symbol Description Comments for the items defined For reference only ISS OrangeWeb Filter Deployment To enable classification of Websites by...

Page 166: ...ISS OrangeWeb Filter rating system is considered the key parameter The URL of each opened page will be rated by the ISS OrangeWeb Filter module Access to each page matching with a rating category incl...

Page 167: ...monitor whether unlock queries were appropriate or not 12 5 Web content filtering by word occurrence WinRoute can also filter Web pages that include undesirable words This is the filtering principle D...

Page 168: ...details see below On the URL Rules tab under Configuration Content Filtering HTTP Policy create a rule or a set of rules to allow access to the group of web pages which will be filtered by forbidden w...

Page 169: ...le filtering web pages by word occurrence word filtering Word groups To define word groups go to the Word Groups tab in Configuration Content Filtering HTTP Policy the Forbidden Words tab Words are so...

Page 170: ...ecified in Deny pages with weight over represents so called treshold weight value for each page i e total weight of all forbidden words found at the page If the total weight of the tested page exceeds...

Page 171: ...ot match any rule access to the FTP server is implicitly allowed Note 1 The default WinRoute configuration includes a set of predefined rules for FTP traffic These rules are disabled by default These...

Page 172: ...o disable the rule Rules can be disabled temporarily so that it is not necessary to remove rules and create identical ones later Note FTP traffic which does not match any FTP rule is allowed any traff...

Page 173: ...be applied any server any FTP server server IP address of DNS name of a particular FTP server If an FTP server is defined through a DNS name WinRoute will automatically per form IP address resolution...

Page 174: ...rule will be applied Client source addresses are considered Use the Any option to make the rule independent of clients Click on the Edit button to edit IP groups for details see chapter 14 1 Content A...

Page 175: ...viruses according to scanning rules Use this option to enable disable scanning for viruses for FTP traffic which meet this rule This option is available only for allowing rules it is meaningless to ap...

Page 176: ...ighly recommended to consider thoroughly which method of antivirus check should be used and to which protocols it should be applied and if possible and desired to try the configuration in the trial ve...

Page 177: ...source address translation technology is used for Internet connection address translation must be set for this rule as well Note A corresponding protocol inspector can be also specified within the ser...

Page 178: ...Error log refer to chapter 22 8 Each download update attempt sets the Last update check performed value to zero Warning To make the antivirus control as mighty as possible it is necessary that the an...

Page 179: ...virus version s as well as information regarding the age of the current virus database will be displayed If the update check fails i e the server is not available an error will be reported and detaile...

Page 180: ...t might happen that the connection over which the file is transferred is interrupted when the time limit is exceeded The optimal value of the file size depends on particular conditions the server s pe...

Page 181: ...for HTTP and FTP traffic objects files of selected types are scanned The file just transmitted is saved in a temporary file on the local disk of the firewall WinRoute caches the last part of the trans...

Page 182: ...ute host WinRoute administrators can later try to heal the file using an an tivirus program and if the file is recovered successfully the administrator can provide it to the user who attempted to down...

Page 183: ...to be taken when the antivirus check cannot be applied to a file e g the file is compressed and password protected damaged etc Deny transmission of the file WinRoute will consider these files as infec...

Page 184: ...ule HTTP FTP filename this option filters out certain filenames not entire URLs transmitted by FTP or HTTP e g exe zip etc If only an asterisk is used for the specification the rule will apply to any...

Page 185: ...is detected the attachment is replaced by a notice informing about the virus found Note Warning messages can also be sent to specified email addresses e g to network admin istrators when a virus is d...

Page 186: ...ter send them to their original addressees The quarantine subdirectory under the WinRoute directory is used for the quarantine the typical path is C Program Files Kerio WinRoute Firewall quarantine Me...

Page 187: ...ck Disable TLS Secure mode will not be available Clients will automatically assume that the server does not support TLS and messages will be transmitted through an unencrypted connection Firewall will...

Page 188: ...ion the antivirus check will be applied By default only files downloaded from a remote client to a local host are scanned to avoid slowdown local network is treated as trustworthy If the antivirus che...

Page 189: ...s IP address ranges subnets or other groups Creating and Editing IP Address Groups You can define IP address groups in the Configuration Definitions Address Groups section Figure 14 1 WinRoute s IP gr...

Page 190: ...eters of the new item related to the selected type Description Commentary for the IP address group This helps guide the administrator Note Each IP group must include at least one item Groups with no i...

Page 191: ...ed edited and removed in Configuration Definitions Time Ranges Clicking on the Add button will display the following dialog window Name Name identification of the time interval Insert a new name to cr...

Page 192: ...3 Services WinRoute services enable the administrator to define communication rules easily by permit ting or denying access to the Internet from the local network or by allowing access to the local ne...

Page 193: ...ices Clicking on the Add or the Edit button will open a dialog for service definition Figure 14 6 Network service definition Name Service identification within WinRoute It is strongly recommended to u...

Page 194: ...elow that will be used for this service Note Each inspector should be used for the appropriate service only Functionality of the service might be affected by using an inappropriate inspector Source Po...

Page 195: ...be used in passive mode The FTP protocol inspector distinguishes that the FTP is active opens the appropriate port and redirects the connection to the appropriate client in the local network Due to t...

Page 196: ...group of web pages you can simply define a URL group and assign permissions to the URL group rather than defining permissions to each individual URL rule A URL group rule is processed significantly fa...

Page 197: ...URL group definition Name Name of the group in which the new item will be added Options of the Name entry are as follows select a group to which the URL will be added add a name to create a new group...

Page 198: ...with www www www kerio com all URLs at the www kerio com server this string is equal to the www kerio com string sex all URL addresses containing the sex string sex cz all URL addresses containing suc...

Page 199: ...tory domain i e password is not stored in the user account in WinRoute Obviously usernames in WinRoute must match with the usernames in the domain This method is not so demanding as far as the adminis...

Page 200: ...nnection to the WinRoute administration in case of the network or domain server failure 15 1 Viewing and definitions of user accounts To define local user accounts import accounts to the local databas...

Page 201: ...ptions are available for accounts in the local database Add Edit Remove Click Add Edit or Remove to create modify or delete local user accounts for details see chapter 15 2 It is also possible to sele...

Page 202: ...account each user can be authenticated through the WinRoute s internal database Active Directory or Windows NT domain A basic administrator account is created during the WinRoute installation process...

Page 203: ...15 2 Local user accounts 203 Figure 15 2 Local user accounts in WinRoute Step 1 basic information Figure 15 3 Creating a user account basic parameters Name Username used for login to the account...

Page 204: ...ication User authentication see below Account is disabled Temporary blocking of the account so that you do not have to remove it Note For example this option can be used to create a user account for a...

Page 205: ...tab to set parameters for user authentication through the Windows NT domain or and through the Active Directory If Active Directory authentication is set also for Windows NT domain then Active Directo...

Page 206: ...annot edit them Full access to administration These users have full rights to administration and are equal to the Admin account If there is at least one user with the full access to the administration...

Page 207: ...by a user account template Step 4 data transmission quota Daily and monthly limit for volume of data transferred by a user as well as actions to be taken when the quota is exceeded can be set in this...

Page 208: ...Route see chapter 18 3 If you wish that your WinRoute administrator is also notified when a quota is almost exceeded set the alert parameters in Configuration Accounting For details refer to chapter 1...

Page 209: ...t filter rules settings for individual users can be defined Global rules defined in the Content Rules tab in the Configuration Content Filtering HTTP Policy section are used as default when a new user...

Page 210: ...be defined by a user account template Step 6 user s IP addresses Figure 15 8 Creating a new user account IP addresses for VPN client and automatic logins If a user works at a reserved workstation i e...

Page 211: ...ess Using this method a fixed IP address can be assigned to a user when he she connects to the local network via the Kerio VPN Client It is possible to add this IP to the list of IP addresses from whi...

Page 212: ...matic import of user accounts from Active Directory If Active Directory is used automatic import of user accounts can be applied Specific WinRoute parameters such as access rights content rules data t...

Page 213: ...from the Windows NT do main or from Active Directory Each import of a user account covers creating of a local account with the identical name and the same domain authentication parameters Specific Win...

Page 214: ...cted domain are listed When accounts are selected and the selection is confirmed the accounts are imported to the local user database 15 4 Active Directory domains mapping In WinRoute it is possible t...

Page 215: ...ion regarding the operating system on the corre sponding domain server 3 For DNS configuration the same rules are followed as for mapping of a single domain DNS server must be a domain server of the d...

Page 216: ...ecified server or to search for a domain server The automatic connection to the first server available increases reliability of the connection and eliminates problems in cases when a domain controller...

Page 217: ...se automatic authentication in web browsers see chapter 25 2 For NTLM authentication name of the NT domain corresponding with the domain speci fied in the Active Directory domain is required For mappi...

Page 218: ...the primary domain only define which users will be allowed to login to WinRoute i e to the web interface to the SSL VPN inter face to the WinRoute administration etc using the username without domain...

Page 219: ...ithout the domain specified represents an account belonging to the local database However as long as possible it is recommended to remove all collisions by the conversion Note In case of user groups c...

Page 220: ...ied criteria The searching is interactive each symbol typed or deleted defines the string which is evaluated immediately and all groups including the string in either Name or Description are viewed Th...

Page 221: ...move users to from the group If user accounts have not been created yet the group can be left empty and users can be added during the account definition see chapter 15 1 Hint When adding new users you...

Page 222: ...ck actions are traced in the Security log Users can dial RAS connection If the Internet connection uses dial up lines users of this group will be allowed to dial and hang up these lines in the Web int...

Page 223: ...ote administration is available from all local hosts How to allow remote administration from the Internet In the following example we will demonstrate how to allow WinRoute remote administration from...

Page 224: ...y rule 16 2 Update Checking WinRoute enables automatic check for new versions at the Kerio Technologies website When ever a new version is detected is download and installation is offered Open the Upd...

Page 225: ...yet and they could endanger functionality of your networks etc Check now Click on this button to check for updates immediately If a new version is available detailed information links and download li...

Page 226: ...Chapter 16 Remote Administration and Update Checks 226 Figure 16 3 Administration Console s welcome page informing that a new version is available...

Page 227: ...o one or multiple P2P networks The following restrictions can be applied to users of P2P networks i e to hosts on which clients of such networks are run Blocking options it is possible to block access...

Page 228: ...es time when the restriction for the particular host will be applied The P2P Eliminator module enables traffic for this user automatically when the specified time expires The time of disconnection sho...

Page 229: ...network is detected e g the WinRoute administrator define the alert on the Alerts Settings tab of the Configuration Account ing section For details see chapter 19 3 Parameters for detection of P2P net...

Page 230: ...ist of so called secure services These services will be excluded from detection of P2P traffic The Define services button opens a dialog where services can be define that will not be treated as traffi...

Page 231: ...any other interface is correct Detailed information on networks connected to individual interfaces is acquired in the routing table The Anti Spoofing function can be configured in the Anti Spoofing f...

Page 232: ...ction count limits protects the firewall the WinRoute host from flooding and it can reduce undesirable activities by worms and Trojan horses Note This feature does not limit number of connections comi...

Page 233: ...the route p command Note 1 In the Internet connection failover mode see chapter 6 3 only the current default route is shown depending on which Internet interface is currently active 2 In case of multi...

Page 234: ...amically upon connecting and disconnecting of VPN clients or upon creating and removing of VPN tunnels VPN routes cannot be created modified nor removed by hand Inactive routes routes which are curren...

Page 235: ...be in the same IP subnet as the selected interface Metric Distance of the destination network The number stands for the number of routers that a packet must pass through to reach the destination netw...

Page 236: ...e restored automatically There are many methods that can be used to create persistent routes the methods vary according to operating system in some systems the route p or the route command called from...

Page 237: ...through ports mapped with UPnP will be recorded in the Filter log see chapter 22 9 Log connections If this option is enabled all packets passing through ports mapped with UPnP will be recorded in the...

Page 238: ...server tab in Configuration Advanced Options Figure 18 5 SMTP settings reports sending Server Name or IP address of the server Note If available we recommend you to use an SMTP server within the loca...

Page 239: ...resolved warning message is displayed in the SMTP Relay tab until the IP address is not found If the warning is still displayed this implies that an invalid non existent DNS name is specified or the D...

Page 240: ...on about certain activity is reported e g error or warn ing reports debug information etc Each item is represented by one row starting with a timestamp date and time of the event In all language versi...

Page 241: ...ss of the host from which the user is connecting from Login time Date and time of the recent user login to the firewall Login duration Monitors length of the connection This information is derived fro...

Page 242: ...or Firefox SeaMonkey core version 1 3 or later is used VPN client user has connected to the local network using the Kerio VPN Client for details see chapter 23 Note Connections are not displayed and t...

Page 243: ...ation in the Active Hosts window Informa tion can be refreshed in the interval from 5 seconds up to 1 minute or the auto refresh function can be switched off No refresh Logout user Immediate logout of...

Page 244: ...conds when the activity was detected Activity Event Type of detected activity network communication WinRoute distinguishes between the following activities SMTP POP3 WWW HTTP traffic FTP Streams real...

Page 245: ...the Connections tab you can view detailed information about connections established from the selected host to the Internet and in the other direction e g by mapped ports UPnP etc The list of connecti...

Page 246: ...to enable disable showing of DNS names instead of IP ad dresses in the Source and Destination columns If a DNS name for an IP address cannot be resolved the IP address is displayed You can click on th...

Page 247: ...on the selected period The green curve represents volume of incoming data download in a selected time period while the area below the curve represents the total vol ume of data transferred in the per...

Page 248: ...individual messages so called datagrams Periodic data exchange is monitored in this case Figure 19 7 Overview of all connections established via WinRoute One connection is represented by each line of...

Page 249: ...nformation in Connections is refreshed automatically within a user defined interval or the Refresh button can be used for manual refreshing Options of the Connections Dialog The following options are...

Page 250: ...atic refreshing of the information in the Connections window Informa tion can be refreshed in the interval from 5 seconds up to 1 minute or the auto refresh function can be switched off No refresh Man...

Page 251: ...of direction of IP addresses out SNAT or in DNAT For details refer to chapter 7 19 3 Alerts WinRoute enables automatic sending of messages informing the administrator about impor tant events This make...

Page 252: ...ding host Low free disk space warning this alert warns the administrator that the free space of the WinRoute host is low under 11 per cent of the total disk capacity WinRoute needs enough disk space f...

Page 253: ...ne must use an appropriate email address e g number provider com Sending of SMS to telephone numbers for example via GSM gateways connected to the WinRoute host is not supported To Email address of th...

Page 254: ...p If alert templates in the language are not available English version is used instead Email and SMS alerts are always in English Note In the current WinRoute version alerts are available only in Engl...

Page 255: ...ername virus name etc Click an event to view detailed information on the item including a text description defined by templates under console details see above in the bottom section of the window Figu...

Page 256: ...ividual users during various time periods today this week this month and total The Quota column provides usage of transfer quota by a particular user in percents see chap ter 15 1 Colors are used for...

Page 257: ...stats cfg file in the WinRoute directory This implies that this data will be saved the next time the WinRoute Firewall Engine will be started User Quota dialog options Right click on the table or on a...

Page 258: ...tomatic refreshing of the information on the User Statistics tab Informa tion can be refreshed in the interval from 5 seconds up to 1 minute or the auto refresh function can be switched off No refresh...

Page 259: ...tem data from the Internet was received through this interface at the LAN interface as OUT data was sent to the local network through this interface Note Interface statistics are saved into the stats...

Page 260: ...ected to can be removed Whenever a removed interface is activated again upon connection of the VPN tunnel etc it is added to the statistics automatically Graphical view of interface load The traffic p...

Page 261: ...forming about average throughput at the interface Example Suppose the 1 day interval is selected Then an impulse unit is represented by 5 minutes This means that every 5 minutes an average traffic spe...

Page 262: ...ample to figure out exact numbers of Internet connection costs per user 3 For correct functionality of the Kerio StaR interface it is necessary that the WinRoute host s operating system supports all l...

Page 263: ...ored by the proxy server itself see chapter 8 4 Note HTTPS traffic is encrypted and therefore it is impossible to monitor visited sites and categories Only volume of transferred data is included in th...

Page 264: ...r statistics and quota Under certain circumstances too many connected users great volume of transmitted data low capacity of the WinRoute host etc viewing of statistics may slow WinRoute and data tran...

Page 265: ...o StaR interface see chapter 20 Figure 21 2 Kerio StaR advanced options The Show user names in statistics by option enables select a mode of how users and their names will be displayed in individual u...

Page 266: ...red and included in statistics and quota e g only in working hours Without this period no traffic will be included in the statistics and in the quota neither For details on time intervals see chapter...

Page 267: ...ps refer to chapter 14 1 URL exceptions can be applied only to unsecured web pages the HTTP protocol Connec tions to secured pages the HTTPS protocol are encrypted and URL of such pages cannot be dete...

Page 268: ...r 11 1 This guarantees function of the link from the WinRoute host and from the local network To make Internet Usage Statistics link work also for remote administration over the Internet name of the p...

Page 269: ...t and table of top users having visited the greatest number of web pages of the domain is provided Web Categories the top ten most frequently visited web categories in accordance with the ISS OrangeWe...

Page 270: ...oolbar at the top of the Kerio StaR page Figure 21 6 Kerio StaR toolbar and accounting periods The toolbar includes buttons for fast switching between accounting periods daily weekly monthly Arrows pr...

Page 271: ...esponding textfield Note Under certain circumstances an information may be reported that this period will be rounded to whole weeks or months In such a case the real rounded period for the statistics...

Page 272: ...on the current period day the chart shows traffic by hours week or month the chart shows traffic by days For custom periods up to 2 days the chart shows traffic by hours up to 5 weeks the chart shows...

Page 273: ...transferred data The chart shows part of the most active users in the total volume of transferred data in the selected period Hover a user s name in the chart by the mouse pointer to see volume of dat...

Page 274: ...col The chart of used protocols shows part of individual protocols i e their classes in the total volume of data transferred in the selected accounting period Hover a protocol name with the mouse poin...

Page 275: ...Messenger etc Other any traffic which does not belong to any of the previously described categories 1 The No data available alert informs that no data is available in WinRoute s database for the sele...

Page 276: ...Advanced button see chapter 21 2 When a user is selected full name username and email address are displayed if defined in the user account The View User s Activity link switches StaR to the Users Acti...

Page 277: ...l available information about the se lected user username email address etc Figure 21 17 User s Activity user info Under this header all detected activities of this user in the selected time period ar...

Page 278: ...activities are sorted in a few categories Under the title of each category summary information total number of connections total volume of transferred data etc is provided followed by detailed overvie...

Page 279: ...ssible to simply click on the link to open the page in a new window or a new tab of the browser If the page has no title it will not be included in the activity list Connections to secured pages HTTPS...

Page 280: ...Sent Received messages number of messages transferred within one connec tion name or IP address of the incoming outgoing email server used protocol and volumes of data transferred in each direction N...

Page 281: ...tion any traffic between the local network and the Internet within which more than 2 MB of data was transferred and which cannot be sorted in another category e g in Multimedia The record includes nam...

Page 282: ...ed by volume of transferred data The table provides an information of part of the user in the total volume of the transferred data It is possible to use the table to view all transferred data or only...

Page 283: ...he chart at the top of the tab shows top ten visited web domains The number in the chart refers to number of visits of all web pages of the particular domain in the selected accounting period Note The...

Page 284: ...he total visit rate of the particular domain Hovering of a user s name by the mouse pointer shows total number of web pages visited by the user Figure 21 25 Chart of top active users for the particula...

Page 285: ...ISS OrangeWeb Filter Statistics of categories provide more general information of visited websites For example the information help figure out how much users browse websites not related to their work...

Page 286: ...particular category Hovering of a user s name by the mouse pointer shows total number of the user s requests to the particular web category Figure 21 28 Chart of top users for a selected web category...

Page 287: ...full names are shown in charts or usernames if the full name is not defined in the account of the particular user Note Statistics of visited categories might be affected by wrong categorization of som...

Page 288: ...ministration Console Individual logs can be rotated after a certain time period or when a threshold of the file size is reached log files are stored and new events are logged to a new empty file Admin...

Page 289: ...will be rotated regularly The file will be stored and a new log file will be started in selected intervals Weekly rotation is performed at the edge of the calendar week depending on settings in the op...

Page 290: ...he particular file will be rotated whenever one of these conditions is met 2 Setting of statistics and quotas accounting period does not affect log rotation see chap ter 21 2 Rotation is always bound...

Page 291: ...for the particular WinRoute log depends on the Syslog server Severity Severity of logged events depends on the Syslog server 22 2 Logs Context Menu When you right click inside any log window a contex...

Page 292: ...the file name is set The file extension is set automatically in accor dance with the format selected Format logs can be saved as plaintext or in HTML If the HTML format is used colors will be saved f...

Page 293: ...ot be refreshed anymore Note If a user with read rights only is connected to WinRoute see chapter 15 1 the Log settings and Clear log options are missing in the log context menu Only users with full r...

Page 294: ...ng one or multiple strings matching the regular expression will be highlighted The Description item is used for reference only It is recommended to describe all created rules well it is recommended to...

Page 295: ...ction for details see chapter 19 3 22 4 Config Log The Config log stores a complete communication history between Administration Console and the WinRoute Firewall Engine the log allows you to find out...

Page 296: ...g table 3 Other changes in configuration A typical example of this record type is the change of traffic rules When the user hits Apply in Configuration Traffic policy a complete list of current traffi...

Page 297: ...cation layer service recognized by destination port If the corresponding service is not defined in WinRoute refer to chapter 14 3 the Service item is missing in the log User james name of the user con...

Page 298: ...defined log expression Figure 22 8 Expression for traffic monitored in the debug log The expression must be defined with special symbols After clicking on the Help button a brief description of possi...

Page 299: ...Protocol inspection reports from individual WinRoute s protocol inspectors sorted by protocol Kerio VPN detailed information on traffic within Kerio VPN VPN tunnels VPN clients encryptions exchange o...

Page 300: ...interface name client type IP address and username The second event is logged upon a successful hang up The log provides information about interface name time of connection connection time volume of...

Page 301: ...2008 15 59 08 DNS query for www microsoft com packet UDP 192 168 1 2 4579 195 146 100 100 53 initiated dialing of line Connection 15 Mar 2008 15 59 12 Line Connection disconnected The first record re...

Page 302: ...with low level driver problems when initializing system libraries services con figuration databases etc 6000 6999 filesystem errors cannot open save delete file 7000 7999 SSL errors problems with key...

Page 303: ...L rule log message 18 Apr 2008 13 39 45 ALLOW URL McAfee update 192 168 64 142 james HTTP GET http update kerio com nai antivirus datfiles 4 x dat 4258 zip 18 Apr 2008 13 39 45 date and time when the...

Page 304: ...TCP only 22 10 Http log This log contains all HTTP requests that were processed by the HTTP inspection module see section 14 3 or by the built in proxy server see section 8 4 The log has the standard...

Page 305: ...P protocol 0 size of the transferred object file in bytes 4 count of HTTP requests transferred through the connection An example of Http log record in the Squid format 1058444114 733 0 192 168 64 64 T...

Page 306: ...66 1864 195 39 55 10 445 flags SYN seq 3819654104 ack 0 win 16384 tcplen 0 packet from packet direction either from i e sent via the interface or to i e received via the interface LAN interface name s...

Page 307: ...io Administration Console WebAdmin web administration interface WebAdmin SSL secure web administration interface Proxy proxy server user authentication IP address IP address of the computer from which...

Page 308: ...oblems e g HTTP rules require user authen tication but the WWW interface is not enabled 3000 3999 warning from individual WinRoute modules e g DHCP server anti virus check user authentication etc 4000...

Page 309: ...ce For administrators the Web log is easy to read and it provides the possibility to monitor which Websites were opened by each user How to read the Web Log 24 Apr 2008 10 29 51 192 168 44 128 james K...

Page 310: ...ons Identities of individual clients are authenticated against a username and password transmitted also by secured connection so that unauthorized clients cannot connect to local networks Remote conne...

Page 311: ...f remote endpoints of VPN tunnels and of remote clients using Kerio VPN Client Note Connection to the VPN server from the Internet must be first allowed by traffic rules For details refer to chapters...

Page 312: ...ubnet By default upon the first start up after installation WinRoute automatically selects a free subnet which will be used for VPN Under usual circumstances it is not necessary to change the default...

Page 313: ...ver certificate This certificate is used for ver ification of the server s identity during creation of a VPN tunnel for details refer to chapter 23 3 The VPN server in WinRoute uses the standard SSL c...

Page 314: ...disabled refer to chapter 8 1 the option is not available Use specific DNS servers primary and secondary DNS servers specified through this option will be set for VPN clients If another DNS server th...

Page 315: ...d port is really free view the Error log to see whether an error of this type has not been reported Custom Routes Other networks to which a VPN route will be set for the client can be specified in thi...

Page 316: ...icense should be bought Basic configuration of traffic rules for VPN clients Figure 23 6 Common traffic rules for VPN clients The first rule allows connection to the VPN server in WinRoute from the In...

Page 317: ...nfiguration of VPN servers refer to chapter 23 1 Definition of a tunnel to a remote server VPN tunnel to the server on the other side must be defined at both ends Use the Add VPN tunnel option in the...

Page 318: ...N tunnel is being created identity of the remote endpoint is authenticated through the fingerprint of its SSL certificate If the fingerprint does not match with the fingerprint specified in the config...

Page 319: ...ings DNS must be set properly at both sends of the tunnel so that it is possible to connect to hosts in the remote network using their DNS names One method is to add DNS records of the hosts to the ho...

Page 320: ...ich method will be used to add routes provided by the remote endpoint of the tunnel to the local routing table as well as define custom routes to remote networks The Kerio VPN routing issue is describ...

Page 321: ...ture protects tunnels from disconnection by other firewalls or network devices between ends of tunnels Traffic Policy Settings for VPN Once the VPN tunnel is created it is necessary to allow traffic b...

Page 322: ...if a routing table at any side of the VPN tunnel includes invalid routes e g specified by the administrator these routes are also interchanged This might make traffic with some remote subnets impossi...

Page 323: ...with identical IP ranges is not allowed other routes i e routes to local subnets at remote ends of VPN tunnels excluding the cases described above all other VPN and all VPN clients are exchanged Note...

Page 324: ...by a VPN tunnel using the Kerio VPN VPN clients will be allowed to connect to the headquarters network The server default gateway of the headquarters uses the public IP address 63 55 21 12 DNS name i...

Page 325: ...ute a stand alone license for the corresponding num ber of users is required For details see chapter 4 2 Configure and test connection of the local network to the Internet Hosts in the local net work...

Page 326: ...ork remote network and VPN clients and set desirable access restrictions In this network configuration all desirable restric tions can be set at the headquarter s server Therefore only traffic between...

Page 327: ...us of the Create rules for Kerio Clientless SSL VPN option is irrelevant this example does not include Clientless SSL VPN interface s issues Figure 23 14 Headquarter creating default traffic rules for...

Page 328: ...ecify DNS servers to which DNS queries which are not addressed to the company com domain will be for warded primary and secondary DNS server of the Internet connection provider by default Figure 23 16...

Page 329: ...1 as a primary DNS server also for the other hosts Note For proper functionality of DNS the DNS database must include records for hosts in a corresponding local network To achieve this save DNS names...

Page 330: ...Chapter 23 Kerio VPN 330 Figure 23 19 Headquarters VPN server configuration For a detailed description on the VPN server configuration refer to chapter 23 1...

Page 331: ...dquarter definition of VPN tunnel for a filial office 6 Customize traffic rules according to the restriction requirements In the Local Traffic rule remove all items except those belonging to the local...

Page 332: ...default rule see chapter 7 3 Configuration of a filial office 1 Install WinRoute version 6 0 0 or later at the default gateway of the branch office server 2 Use Network Rules Wizard see chapter 7 1 to...

Page 333: ...Figure 23 24 Filial office default traffic rules for Kerio VPN When the VPN tunnel is created customize these rules according to the restriction re quirements Step 6 3 Customize DNS configuration as f...

Page 334: ...ts in a corresponding local network To achieve this save DNS names and IP addresses of local hosts into the hosts file if they use IP addresses or enable cooperation of the DNS Forwarder with the DHCP...

Page 335: ...office 335 Figure 23 27 Filial office TCP IP configuration at a firewall s interface connected to the local network Figure 23 28 Filial office VPN server configuration 5 Create an active endpoint of...

Page 336: ...ll be reported in the Adapter info column for both ends of the tunnel If the connection cannot be established we recommend you to check the configuration of the traffic rules and test availability of...

Page 337: ...whether the same subnet is not used at both ends of the tunnel If an IP address is tested successfully and an error is reported Unknown host when a corre sponding DNS name is tested then check configu...

Page 338: ...he fixed IP address 63 55 21 12 DNS name is gw newyork company com The server of one filial uses the IP address 115 95 27 55 DNS name gw london company com the other filial s server uses a dynamic IP...

Page 339: ...k To achieve this save DNS names and IP addresses of local hosts into the hosts file if they use IP addresses or enable cooperation of the DNS Forwarder with the DHCP server in case that IP addresses...

Page 340: ...e whether the same subnet is not used at both ends of the tunnel If an IP address is tested successfully and an error is reported Unknown host when a cor responding DNS name is tested then check conf...

Page 341: ...will create rules for connection of the VPN server as well as for communication of VPN clients with the local network through the firewall Figure 23 34 Headquarter default traffic rules for Kerio VPN...

Page 342: ...ute host s inbound interface connected to the local network at the remote side of the tunnel Figure 23 36 Headquarter DNS forwarding settings Set the IP address of this interface 10 1 1 1 as a primary...

Page 343: ...23 6 Example of a more complex Kerio VPN configuration 343 Figure 23 37 Headquarter TCP IP configuration at a firewall s interface connected to the local network...

Page 344: ...is available Note The VPN network and Mask entries now include an automatically selected free sub net Check whether this subnet does not collide with any other subnet in the headquarters or in the fi...

Page 345: ...gerprint of the VPN server of the London filial office as a specification of the fingerprint of the remote SSL certificate Figure 23 39 Headquarter definition of VPN tunnel for the London filial On th...

Page 346: ...cribed here is applied see figure 23 31 it is un recommended to use automatically provided routes In case of an automatic exchange of routes the routing within the VPN is not be ideal for example any...

Page 347: ...unnel connected to the Paris filial Figure 23 41 The headquarters definition of VPN tunnel for the Paris filial On the Advanced tab select the Use custom routes only option and set routes to the sub n...

Page 348: ...Chapter 23 Kerio VPN 348 Figure 23 42 The headquarters routing configuration for the tunnel connected to the Paris filial Figure 23 43 Headquarter final traffic rules...

Page 349: ...the wizard select the Create rules for Kerio VPN server option setting of the Create rules for Kerio Clientless SSL VPN option is not regarded here Figure 23 44 The London filial no restrictions are...

Page 350: ...he London filial office DNS forwarder configuration Enable the Use custom forwarding option and define rules for names in the company com and filial2 company com domains To specify the forwarding DNS...

Page 351: ...n the filials If it does specify a free subnet Figure 23 49 The London filial office VPN server configuration For a detailed description on the VPN server configuration refer to chapter 23 1 5 Create...

Page 352: ...ter 23 Kerio VPN 352 our example the ping gw newyork company com command can be used at the London branch office server Figure 23 50 The London filial office definition of VPN tunnel for the headquart...

Page 353: ...23 6 Example of a more complex Kerio VPN configuration 353 Figure 23 51 The London filial routing configuration for the tunnel connected to the headquarters...

Page 354: ...SSL certificate Figure 23 52 The London filial office definition of VPN tunnel for the Paris filial office On the Advanced tab select the Use custom routes only option and set routes to Paris local ne...

Page 355: ...e of a more complex Kerio VPN configuration 355 Figure 23 53 The London filial routing configuration for the tunnel connected to the Paris branch office Figure 23 54 The London filial office final tra...

Page 356: ...e access from the local network to the Internet is not restricted i e that access to all services is allowed in step 4 Figure 23 55 The Paris filial no restrictions are applied to accessing the Intern...

Page 357: ...company com domains Specify the server for DNS forwarding by the IP address of the remote firewall host s interface i e interface connected to the local network at the other end of the tunnel Figure...

Page 358: ...cted free sub net Check whether this subnet does not collide with any other subnet in the headquarters or in the filials If it does specify a free subnet Figure 23 59 The Paris filial office VPN serve...

Page 359: ...l for the headquarters On the Advanced tab select the Use custom routes only option and set routes to headquar ters local networks At this point connection should be established i e the tunnel should...

Page 360: ...Chapter 23 Kerio VPN 360 Paris branch office server Figure 23 61 The Paris filial routing configuration for the tunnel connected to the headquarters...

Page 361: ...ice definition of VPN tunnel for the London filial office On the Advanced tab select the Use custom routes only option and set routes to London s local networks Like in the previous step check whether...

Page 362: ...lial office final traffic rules connect to this branch office VPN test The VPN configuration has been completed by now At this point it is recommended to test reachability of the remote hosts in the o...

Page 363: ...Places system tool it does not enable access to web servers or other services in a remote network SSL VPN is suitable for an immediate access to shared files in remote networks in such envi ronments w...

Page 364: ...cre ating importing a certificate is identical as the one for WinRoute s interface or the VPN server addressed in detail in chapter 11 1 Hint Certificates for particular server name issued by a trustw...

Page 365: ...particular domain at the login page by username and password is required Any operations with shared files and folders are performed under the identity of the user currently logged in Figure 24 4 Clien...

Page 366: ...page an entry is available where location of the demanded shared item so called UNC path can be specified for example server folder subfolder The path may be specified regularly even if folder or and...

Page 367: ...fault configuration only files uploaded to hosts in remote private networks are scanned For connection speed reasons files downloaded to local hosts from remote networks are not scanned by antiviruses...

Page 368: ...to enter a new path Figure 24 7 Clientless SSL VPN new folder Use the Edit button to select a new path folder where the new folder will be created use a bookmark select it in the folder tree Renaming...

Page 369: ...path folder or select it in the tree or it is also possible to use a bookmark see above Moving of files folders It is also possible to remove any number of folders or and files as well as all files an...

Page 370: ...in the SSL VPN interface is set Destination folder can be specified manually selected in the folder tree or loaded from a bookmark see above Use the File entry to specify full path to a local file Fi...

Page 371: ...blems you have already figured out Configuration files All WinRoute configuration data is stored in the following files under the same directory where WinRoute is installed the typical path is C Progr...

Page 372: ...status information is saved Files Cache CFS Current ISS OrangeWeb Filter s cache data see chapter 12 4 dnscache cfg DNS files stored in DNS forwarder s cache see chapter 8 1 leases cfg IP addresses as...

Page 373: ...is being reinstalled follow these steps 1 Perform WinRoute installation on a required machine refer to chapter 2 3 2 Stop WinRoute Firewall Engine 3 Into the WinRoute directory the typical path is C...

Page 374: ...DEVICE 7AC918EE 3B85 5A0E 8819 CBA57D4E11C7 variable variable name Name LAN variable listitem listitem variable name Id DEVICE 6BF377FB 3B85 4180 95E1 EAD57D5A60A1 variable variable name Name Local Ar...

Page 375: ...2 The server i e the WinRoute host belongs to a corresponding Windows NT or Active Directory Windows 2000 2003 2008 domain 3 Client host belongs to the domain 4 User at the client host is required to...

Page 376: ...tory domain the corresponding NT domain must be set in the particular domain s configuration on the Active Directory tab for details refer to chapter 15 4 Figure 25 3 Setting of NTLM authentication fo...

Page 377: ...e login dialog is displayed only if NTLM authentication fails e g when user account for user authenticated at the client host does not exist in WinRoute Warning One reason of a NTLM authentication fai...

Page 378: ...ect connection proxy server is not set in the browser Look up the network automatic ntlm auth trusted uris parameter Use the WinRoute host s name as a value for this parameter e g server or server com...

Page 379: ...rowser Web browsers allow to set the proxy server either globally or for individual protocols In our example configuration of Internet Explorer 6 0 focused configuration of any other browsers is almos...

Page 380: ...P New Connection option available in the main menu or creating a bookmark for repeated connec tions Net FTP Connect The proxy server must be configured individually for each FTP connection or for each...

Page 381: ...receives a packet from the local network it will compare it with the system routing table If the packets goes out to the Internet no record will be found since there is no default route in the routin...

Page 382: ...use it is initiated by WinRoute low lever driver This driver holds packets and decides whether the line should be dialed or not If the line is disconnected and a packet is sent from the local host to...

Page 383: ...r must be defined by DNS name so that the application can create a DNS query In the operating system set the primary DNS server to the IP address of the fire wall In Windows go to TCP IP properties in...

Page 384: ...when demanded In Actions for DNS name you can select either the Dial or the Ignore option Use the second option to block dialing of the line in response to a request for this DNS name The Dial action...

Page 385: ...tivate the Enable dialing for local DNS names option in the Other settings tab to enable this at the top of the Dial On Demand dialog window In other cases it is recommended to leave the option disabl...

Page 386: ...ection which will provide you with a few guidelines 26 1 Essential Information To send a request to our technical support use the contact form at http support kerio com To be able to help you solve yo...

Page 387: ...ype and license number Please specify whether you have purchased any WinRoute license or if you use the trial version Requirements of owners of valid licenses are always preferred 26 2 Tested in Beta...

Page 388: ...ct form http support kerio com United Kingdom Kerio Technologies UK Ltd Enterprise House Vision Park Histon Cambridge CB24 9ZR Tel 44 1223 202 130 http www kerio co uk Contact form http support kerio...

Page 389: ...S are Safari are trademarks or registered trademarks of Apple Computer Inc Linux is registered trademark of Linus Torvalds Mozilla and Firefox are registered trademarks of Mozilla Foundation KerberosT...

Page 390: ...License MPL Original source code can be downloaded from http h323plus org libcurl Copyright 1996 2008 Daniel Stenberg libiconv Copyright Free Software Foundation Inc Author Bruno Haible WinRoute incl...

Page 391: ...2001 2004 The PHP Group Copyright 1998 2002 HappySize Inc All rights reserved Prototype Copyright Sam Stephenson Homepage http prototype conio net ptlib This product includes unmodified version of the...

Page 392: ...irtual server keeps running Connections A virtual bidirectional communication channel between two hosts See also TCP DDNS DDNS Dynamic Domain Name System is DNS with the feature of automatic update of...

Page 393: ...nt This mode is suitable for cases where the firewall is at the server s side however it is not supported by some clients e g by web browsers passive mode data connection is established also by the cl...

Page 394: ...tunnel mode or for encryption of traffic between two hosts so called transport mode Kerberos Kerberos is a system used for secure user authentication in network environments It was developed at the M...

Page 395: ...ce P2P network Peer to Peer P2P networks are world wide distributed systems where each node can represent both a client and a server These networks are used for sharing of big volumes of data this sha...

Page 396: ...e g FTP in the active mode when data connection to a client is established by a server and to filter traffic by the corresponding protocol e g limited access to Web pages classified by URLs anti viru...

Page 397: ...P protocol Nowadays it is used by almost all standard Internet protocols SMTP POP3 IMAP LDAP etc At the beginning of communication an encryption key is requested and transferred using asymmetrical enc...

Page 398: ...ich transfers data through individ ual messages so called datagrams It does not establish new connections nor it provides reliable and sequentional data delivery nor it enables error correction or dat...

Page 399: ...bandwidth limiter 130 configuration 130 detection principle 135 beta version 387 BOOTP 116 C cache directory 124 DNS 103 size 124 URL exceptions 126 certificate SSL VPN 364 VPN server 313 Web Interfac...

Page 400: ...t connection 49 back up 58 dial on demand 53 381 leased line 50 load balancing 62 unintentional dialing 383 IPSec 84 ISS OrangeWeb Filter 163 deployment 165 parameters configuration 164 website catego...

Page 401: ...tration at the Kerio website 40 of purchased product 36 trial version 32 relay SMTP server 238 routing table 233 static routes 234 S services 79 192 SIP 195 SSL VPN 363 antivirus check 367 bookmarks 3...

Page 402: ...main mapping 214 in traffic rules 95 local 201 202 mapped 201 templates 201 204 user authentication 137 authentication methods 204 automatic login 210 configuration 138 in Active Directory 212 in NT d...

Page 403: ...403 security center 18 Windows Firewall 17 18 WinRoute Engine Monitor 18 19 WinRoute Firewall Engine 18 wizard configuration 22 traffic rules 67...

Page 404: ...404...

Search results

Summary of Contents for Firewall6

Reviews:

Related manuals for Firewall6

Brands by name

Popular brands

Kerio Tech Firewall6, Administrator'S Manual

Search results

Summary of Contents for Firewall6

Reviews:

Related manuals for Firewall6

Brands by name

Popular brands