Kerio Tech Firewall6 Скачать руководство пользователя страница 95

Страница: 95 / 404

7.6 User accounts and groups in traffic rules

Example: Optimization of network traffic load balancing

WinRoute

provides two options of network traffic load balancing: per host (clients) or per con-

nection (for details, refer to chapter

7.3

). With respect to variability of applications on individ-

ual hosts and of user behavior, the best solution (more efficient use of individual links) proves

to be the option of load balancing per connection. However, this mode may encounter prob-

lems with access to services where multiple connections get established at one moment (web

pages and other web related services). The server can consider source addresses in individual

connections as connection recovery after failure (this may lead for instance to expiration of

the session) or as an attack attempt (in that case the service can get unavailable).

This problem can be bridged over by policy routing. In case of “problematic” services (e.g.

HTTP

and

HTTPS

) the load will be balanced per host, i.e. all connections from one client will

be routed through a particular Internet link so that their IP address will be identical (a single

IP address will be used). To any other services, load balancing per connection will be applied

— thus maximally efficient use of the capacity of available links will be reached.

Meeting of the requirements will be guaranteed by using two NAT traffic rules — see fig-

ure

7.33

. In the first rule, specify corresponding services and set the

per host

NAT mode. In

the second rule, which will be applied for any other services, set the

per connection

NAT mode.

Figure 7.33

Policy routing — load balancing optimization

7.6 User accounts and groups in traffic rules

In traffic rules, source/destination can be specified also by user accounts or/and user groups.

In traffic policy, each user account represents IP address of the host from which user is con-

nected. This means that the rule is applied to users authenticated at the firewall only (when

the user logs out, the rule is not effective any longer). This chapter is focused on various

issues relating to use of user accounts in traffic rules as well as hints for their solution.

Note:

For detailed information on traffic rules definition, refer to chapter

7.3

How to enable certain users to access the Internet

How to enable access to the Internet for specific users only? Assuming that this problem

applies to a private local network and Internet connection is performed through NAT, simply

specify these users in the

Source

item in the NAT rule.

Содержание Firewall6

Страница 1: ...Kerio WinRoute Firewall 6 Administrator s Guide Kerio Technologies...

Страница 2: ...description on the Kerio WinRoute Firewall version 6 5 1 Improved version All additional modifications and updates reserved For current product version check http www kerio com kwfdwn Information rega...

Страница 3: ...e product in the Administration Console 32 4 4 Product registration at the website 40 4 5 Subscription Update Expiration 40 4 6 User counter 42 5 Network interfaces 44 6 Internet Connection 49 6 1 Per...

Страница 4: ...1 11 2 User logon and logout 146 11 3 Status information and user statistics 149 11 4 User preferences 150 11 5 Dial up 153 12 HTTP and FTP filtering 154 12 1 Conditions for HTTP and FTP filtering 155...

Страница 5: ...ay UPnP 236 18 3 Relay SMTP server 238 19 Status Information 240 19 1 Active hosts and connected users 240 19 2 Network connections overview 247 19 3 Alerts 251 20 Basic statistics 256 20 1 Volume of...

Страница 6: ...of Kerio VPN configuration company with a filial office 323 23 6 Example of a more complex Kerio VPN configuration 337 24 Kerio Clientless SSL VPN 363 24 1 Configuration of WinRoute s SSL VPN 363 24 2...

Страница 7: ...tionality of the Internet connection and of traffic among hosts within the local network before you run the WinRoute installation This test will reduce possible problems with debugging and error detec...

Страница 8: ...nts Automatic configuration activate the Obtain an IP address automatically option Do not set any other parameters Manual configuration define IP address subnet mask default gateway address DNS server...

Страница 9: ...tab All the security settings within WinRoute are managed through so called traffic policy rules These provide effective network protection from external attacks as well as easy access to all the serv...

Страница 10: ...nother host within the local network or the Internet Communication between WinRoute and the administration console is encrypted and thus protected from being tapped or misused Various Operating System...

Страница 11: ...while detailed statistics can be found in the firewall s web interface Kerio VPN proprietary VPN server and client WinRoute also provides a proprietary VPN solution which can be applied to the server...

Страница 12: ...from vendor to vendor Under proper circumstances use of the VPN solution included in WinRoute is recommended for details see chapter 23 Otherwise we recommend you to test a particular VPN server or V...

Страница 13: ...ntivirus check If WinRoute uses an antivirus to check objects downloaded via HTTP or FTP protocols see chapter 13 3 the cache directory can be excluded with no risk files in this directory have alread...

Страница 14: ...nstallation package file kerio kwf admin exe is de signed for remote administration from another host This package is identical both for 32 bit and 64 bit Windows systems For details on WinRoute admin...

Страница 15: ...e user interface can then be set separately for individual WinRoute components In the installation wizard you can choose either Full or Custom installation Cstom mode will let you select optional comp...

Страница 16: ...rogram does not allow to install the Administration Console separately Installation of the Administration Console for the remote administration requires a sepa rate installation package file kerio kwf...

Страница 17: ...XP Windows Server 2003 Windows Vista and Windows Server 2008 operating systems However these services collide with the UPnP support in WinRoute refer to chapter 18 2 The WinRoute installation include...

Страница 18: ...enter automatically This implies that the Security Center always indicates firewall status correctly and it does not display warn ings informing that the system is not protected 2 4 WinRoute Component...

Страница 19: ...guidance for Kerio Administration Console is provided in Kerio Administration Console Help http www kerio com kwf manual 2 5 WinRoute Engine Monitor WinRoute Engine Monitor is a standalone utility use...

Страница 20: ...version a notification is displayed 7 days before its expiration This information is displayed until the expiration 2 WinRoute Engine Monitor is available in English only 2 6 Upgrade and Uninstallati...

Страница 21: ...ed Keeping these files may be helpful for copying of the configuration to another host or if it is not sure whether the SSL certificates were issued by a trustworthy certification authority During uni...

Страница 22: ...ered in the dialog for account settings Name Admin can be changed in the Username edit box Note If the installation is running as an upgrade this step is skipped since the administrator account alread...

Страница 23: ...nfiguration Allowing remote administration Enable remote access This option enables full access to the WinRoute computer from a selected IP address Remote IP address IP address of the computer from wh...

Страница 24: ...erio com kwf manual The following chapters of this guide provide descriptions on individual sections of the WinRoute administration dialog window which is opened upon a successful login to the WinRout...

Страница 25: ...WinRoute at multiple servers For details refer to the Help section in the Administration Console manual Note The New Connection option opens the same dialog as running the Adminis tration Console from...

Страница 26: ...er host see Kerio Administration Console Help Administrator s guide this option displays the administrator s guide in HTML Help format For details about help files see Kerio Administration Console Hel...

Страница 27: ...e saved Reconnect connection to the server will be recovered without saving any changes performed in the particular section of the console before the disconnection If the reconnection attempt fails on...

Страница 28: ...estore default settings for better reference only columns providing the most important information are displayed by default The arrow buttons move the selected column up and down within the list This...

Страница 29: ...tion with a valid license number received as a response to purchase of the product WinRoute is available with full functionality Note If your license key gets lost for any reason e g after the harddis...

Страница 30: ...t up to date infor mation about individual licenses subscription extensions etc Deciding on a number of users licenses WinRoute s license key includes information about maximal number of users allowed...

Страница 31: ...em Name of the operating system on which the WinRoute Firewall Engine service is running License ID License number or a special license name Subscription expiration date Date until when the product ca...

Страница 32: ...chapter 16 2 the A new version is available click here for details notice is displayed whenever a new version is available Click on the link to open the dialog where the new version can be downloaded...

Страница 33: ...ion about the trial version user person company It is also necessary that the user accepts the Privacy Policy Terms Otherwise the information cannot be stored in the Kerio Technologies database Use th...

Страница 34: ...er information 4 The fourth page provides the information summary If any information is incorrect use the Back button to browse to a corresponding page and correct the data 5 The last page of the wiza...

Страница 35: ...e language set in the Administration Console where confirmation of the registration is demanded is sent to the email address specified on the page two of the wizard Click on the link in the email mess...

Страница 36: ...l components and subscriptions The page also includes any license numbers as sociated with the basic product that have already been registered Click on Add to add purchased license numbers Each number...

Страница 37: ...4 3 Registration of the product in the Administration Console 37 Figure 4 8 Product registration license numbers of additional components add ons and subscription...

Страница 38: ...s tions have already been answered the page is skipped and the registration process con sists of four steps only 5 The last page provides the information summary If any information is incorrect use th...

Страница 39: ...4 3 Registration of the product in the Administration Console 39 Figure 4 10 Product registration other information Figure 4 11 Product registration summary...

Страница 40: ...onsole welcome page This method can also be used for remote installation of the license key the license key file must be saved on the disk of the host from which the remote installation is performed B...

Страница 41: ...e or any of its components stops functioning or WinRoute or McAfee subscription expires The information is also stopped being displayed immediately after the registration of the subscription or a lice...

Страница 42: ...troubleshooting License policy must be borne in mind when deciding for a license purchase see chapter 4 1 The license counter works as follows Start WinRoute Upon WinRoute is started the table of cli...

Страница 43: ...sts handled by DNS Forwarder Warning If clients use a DNS server located outside the local network such communication is considered as communication with the Internet DHCP traffic using either the Win...

Страница 44: ...iguration Inter faces Figure 5 1 Network interfaces Groups of interfaces To simplify the firewall s configuration and make it as comfortable as possible network inter faces are sorted in groups in Win...

Страница 45: ...g VPN server and VPN tunnels cannot be moved from the VPN interfaces group To move an interface to another group drag it by mouse to the desired destination group or select the group in properties of...

Страница 46: ...ed interface does not support a certain function appropriate buttons will be inactive Add VPN Tunnel Use this option to create a new server to server VPN tunnel Details on the proprietary Kerio VPN so...

Страница 47: ...cords related to network cards or dial ups that do not exist any longer those that have been removed do not affect WinRoute s functionality such interfaces are con sidered as inactive as in case of a...

Страница 48: ...ured or removed If you do not consider RAS clients as parts of trustworthy networks for any reason you can move the Dial In interface to Other interfaces Note 1 If both RAS server and WinRoute are use...

Страница 49: ...et connection is an issue and two Internet links are available the connection failover feature can help If the primary link fails WinRoute switches to the secondary link automatically Users may theref...

Страница 50: ...plied by the ISP provider or they can be configured automatically with the DHCP protocol It is also possible to use a dial like link which can be connected persistently such as PPPoE connections or CD...

Страница 51: ...net interface where the default gateway is set is offered Therefore in most cases the appropriate adapter is already set within this step 2 If the more IP addresses are set for the interface the prima...

Страница 52: ...rface planned for DMZ you can move the particular interface to Other Interfaces For these interfaces it will be necessary to define corresponding traffic rules manually see chapter 7 3 It is also poss...

Страница 53: ...eated in the operating system It is not necessary to define and save login data in the dial up settings this information can be defined directly in WinRoute This connection type also requires one or m...

Страница 54: ...d edited if desirable The Internet Interfaces group includes only the Dial up connection link selected in the third page of the wizard This connection is set up as a dial on demand link see informatio...

Страница 55: ...ce of the default gateway if no route exist in the routing table where a packet would be directed WinRoute create a default gateway by dialing an Internet link Dialing options For dial ups the interfa...

Страница 56: ...over the other In times outside the defined ranges the link is dialed on demand Note 1 If a static route over a dial up is defined in WinRoute s routing table this link will be dialed whenever a pack...

Страница 57: ...comfortable and in certain cases even increase connection costs Note In the time interval where persistent connection of the link is set see above the idleness timeout is ignored Dialing scripts In so...

Страница 58: ...established automatically Requirements The computer hosting WinRoute must have two network interfaces for Internet connection a leased line Ethernet WiFi or a dial up with persistent connection CDMA P...

Страница 59: ...network card or a persistently connected dial up Failing that the sec ondary connection would be activated upon each hang up of the primary link automatically Configuration with the wizard On the sec...

Страница 60: ...f a leased link by a dial up Resulting interface configuration When you finish set up in Traffic Policy Wizard the resulting configuration can be viewed under Configuration Interfaces and edited if de...

Страница 61: ...nternet interfaces for primary and secondary connection links only To change settings of primary and secondary connection use corresponding options in the interface edit dialog see chapter 5 or use th...

Страница 62: ...e of failure of one of the lines the traffic is routed via another Note 1 Network load balancing is applied only to outbound traffic via the default route If the routing table see chapter 18 1 defines...

Страница 63: ...r a dial up test the leased link connection first and then dial the other one Dialing of the link opens creates a new default route via this link which allows us to test Internet connection on the sec...

Страница 64: ...s the ratio of speed between individual links it determines how Internet traffic will be divided among these links If login data for the selected telephone connections are not saved in the operating s...

Страница 65: ...her connection on this Internet link is working and part of Internet traffic can be routed through it Other interfaces including Dial In are considered as segments of the LAN and put in Trusted Local...

Страница 66: ...sible to specify IP addresses of other one or more testing computers upon clicking on Advanced If at least one of the tested devices is available the Internet connection in question is considered as f...

Страница 67: ...traffic rules and later customize them as desired Advanced administrators can create all the rules according to their specific needs without using the wizard 7 1 Network Rules Wizard The network rule...

Страница 68: ...nk with connection failover or multiple links with net work traffic load balancing On the third page you can set parameters for the selected type of Internet connection Individual options of Internet...

Страница 69: ...n be allowed by modification of NAT traffic rules for LAN hosts or Firewall traffic rules for the firewall or by adding custom rules For details see chapter 7 3 Step 5 enabling Kerio VPN traffic To us...

Страница 70: ...the Internet is running on the WinRoute host or another host within the local network define it in this dialog Figure 7 4 Network Policy Wizard enabling local services Note If creating of rules for Ke...

Страница 71: ...ay of the host otherwise the service will not be available Service Selection of a service to be enabled The service must be defined in Configurations Defi nitions Services formerly see chapter 14 3 Ma...

Страница 72: ...face of the firewall i e the interface connected to the Internet page 3 Note Since WinRoute 6 4 0 mapped services can be accessed also from local networks it is therefore not necessary to use another...

Страница 73: ...onfiguration It is not necessary to change this rule whenever a new segment of the LAN is connected or Internet connection is changed By default the Trusted Local interfaces group includes also a Dial...

Страница 74: ...the list is key The order of the rules can be changed with the two arrow buttons on the right side of the window An explicit rule denying all traffic is shown at the end of the list This rule cannot b...

Страница 75: ...text describing the particular rule may be used to specify the Description entry up to 1024 characters If the description is specified the bubble symbol is displayed in the Name column next to the rul...

Страница 76: ...entioned above we recommend you to specify source and destination computers only through IP addresses in case that you are connected to the Internet through a dial up IP range e g 192 168 1 10 192 168...

Страница 77: ...unnel in the source destination address definition 1 Incoming VPN connections VPN clients all VPN clients connected to the WinRoute VPN server via the Kerio VPN Client 2 VPN tunnel network connected t...

Страница 78: ...the firewall authentication page If users use each various hosts to connect from IP addresses of all these hosts must be considered 2 If user accounts or groups are used as a source in the Internet a...

Страница 79: ...groups see chapter 15 are removed The Nothing value is automatically used for all Source Desti nation or and Service items of rules where a removed interface or a user account a group or a service has...

Страница 80: ...ocol inspector for a certain service in WinRoute it is applied to all corre sponding traffic automatically If desired to bypass the protocol inspector for certain traffic it is necessary to define thi...

Страница 81: ...urce address translation is used in traffic rules applied to traffic from the local private network to the Internet In other rules traffic between the local network and the firewall between the firewa...

Страница 82: ...d dialing or connection failover these options have no effect on WinRoute s functionality Hint For maximal efficiency of the connection s capacity it is possible to combine both load balancing methods...

Страница 83: ...T with specific IP address Full cone NAT For all NAT methods it is possible to set mode of allowing of incoming packets coming from any address so called Full cone NAT If this option is off WinRoute p...

Страница 84: ...ernet4 Such rule would significantly decrease security of the local network Note 1 Older versions of WinRoute to version 6 3 1 incl used so called Symmetric NAT where each outgoing connection on the f...

Страница 85: ...t recorded in the local DNS since rule is not applied until a corresponding IP address is found This might cause temporary malfunction of the mapped service Translate port to during the process of IP...

Страница 86: ...lt settings of the Traffic Policy window for details on showing and hiding columns see chapter 3 2 Valid on Time interval within which the rule will be valid Apart from this interval WinRoute ignores...

Страница 87: ...affic policy provides a range of network traffic filtering options In this chapter you will find some rules used to manage standard configurations Using these examples you can easily create a set of r...

Страница 88: ...tion option should be set in the Destination address translation section otherwise the rule might not function Combining source and destination IP address translation is relevant under special conditi...

Страница 89: ...Allow option otherwise all traffic will be blocked and the function of port mapping will be irrelevant Translation In the Destination NAT Port Mapping section select the Translate to IP address option...

Страница 90: ...interface connected to the Internet uses two public IP addresses 63 157 211 10 and 63 157 211 11 We want the server web1 to be available from the Internet at the IP address 63 157 211 10 the server w...

Страница 91: ...lation rule in the Service entry specify only those services that are intended to be allowed Figure 7 25 Internet connection sharing only selected services are available 2 Limitations sorted by IP add...

Страница 92: ...a user group can be allowed to access certain Internet services only 2 Usage of user accounts and groups in traffic policy follows specific rules For detailed description on this topic refer to chapte...

Страница 93: ...tions in traffic rules for Internet access with IP address translation NAT This approach brings wide range of options helping to meet all requirements for routing and network load balancing Note Polic...

Страница 94: ...the link for traffic with a specific server see figure 7 32 Figure 7 32 Policy routing a link reserved for a specific server Note In the second rule automatic interface selection is used This means t...

Страница 95: ...ther services load balancing per connection will be applied thus maximally efficient use of the capacity of available links will be reached Meeting of the requirements will be guaranteed by using two...

Страница 96: ...he reason is that the automatic authentication or redirection to the login page is not invoked unless connection to the Internet is being established for license counting reasons see chapter 4 6 Howev...

Страница 97: ...esses and a traffic rule for this service that will define explicitly that no protocol inspector will be used Example A banking application client communicates with the bank s server through its prope...

Страница 98: ...traffic method where other clients can with direct connection established connect to a port opened by an outgoing packet For these cases WinRoute includes a special mode of address translation known...

Страница 99: ...iginal outgoing connection for the registration was established However use of Full cone NAT allows such connection for any client calling to the SIP telephone in the local network Full cone NAT will...

Страница 100: ...the Internet The parameters may be as follows IP addresses of the phones 192 168 1 100 and 192 168 1 101 Public IP address of the firewall 195 192 33 1 SIP server sip server com For the telephones de...

Страница 101: ...tween the local network and the Internet being allowed be fore processed by the firewall packets use a local source address and an Internet destina tion address i e this is an outgoing traffic from th...

Страница 102: ...ddress of the primary or the back up DNS server This solution has the risk of slow DNS responses All requests from each computer in the local network will be sent to the Internet use the DNS server wi...

Страница 103: ...the service uses UDP protocol and port 53 If DNS Forwarder is not used for your network configuration it can be switched off If you want to run another DNS server on the same host DNS Forwarder must...

Страница 104: ...Internet directly this will speed up the response DNS forwarder s settings also play role in configuration of private networks where it is necessary to provide correct forwarding of requests for name...

Страница 105: ...ould be ordered starting by the most specific one e g name of a particular computer and with the most general one at the bottom e g the main domain of the company Similarly to this rules for reversed...

Страница 106: ...ery alternative to specify rule for DNS queries on IP addresses in a particular subnet Subnet is specified by a network address and a corresponding mask i e 192 168 1 0 255 255 255 0 Use the Then forw...

Страница 107: ...P lease tables and find out which IP address has been assigned to the host name If asked to inform about the local name of the host DNS Forwarder will always respond with the current IP address Note I...

Страница 108: ...ress with appropriate subnet mask and other optional parameters such as IP address of the default gateway addresses of DNS servers domain name etc for the client stations All client parameters can be...

Страница 109: ...wo parts in one address scopes and in the other reservations are defined Figure 8 5 DHCP server IP scopes In the Item column you can find subnets where scopes of IP addresses are defined The IP subnet...

Страница 110: ...with a complete list of advanced parameters sup ported by DHCP including the four mentioned above Any parameter supported by DHCP can be added and its value can be set within this dialog Default param...

Страница 111: ...belong to the subnet defined by the mask If this requirement is not met an error will be reported after the confirmation with the OK button Lease time Time for which an IP address is assigned to clien...

Страница 112: ...assigned IP address of the interface the network is connected to Default gateway of another network would be useless not available to clients DNS server any DNS server or more DNS servers separated wi...

Страница 113: ...ddress Scope tab Each scope is described with the following items total number of addresses within this scope number and percentage proportion of leases number and percentage proportion of free addres...

Страница 114: ...ls i e with the ipconfig command or with a special application provided by the net work adapter manufacturer host name DHCP requests of most DHCP clients include host names i e all Windows operating s...

Страница 115: ...ddress leased IP address Lease Expiration date and time specifying expiration of the appropriate lease MAC Address hardware address of the host that the IP address is assigned to in cluding name of th...

Страница 116: ...currently assigned to The Scopes tab with a dialog where the appropriate address can be leased will be opened automatically All entries except for the Description item will be already defined with ap...

Страница 117: ...d users has been exceeded see chapter 4 6 This implies that repeated connection of RAS clients may cause exceeding of the num ber of licensed users if the IP scope for the RAS service is too large or...

Страница 118: ...us allows making mapped services always available under the same server name regardless of the fact if IP address changes and how often How cooperation with dynamic DNS works Dynamic DNS DDNS is a ser...

Страница 119: ...quest for update of DNS records with name company com This requests starts update of DNS records of both names DDNS configuration in WinRoute To set cooperation with the dynamic DNS server go to the D...

Страница 120: ...can forward all queries to so called parent proxy server 2 Internet connection is performed via a dial up and access to certain Web pages is blocked refer to chapter 12 2 If a direct connection is use...

Страница 121: ...y 3128 port is set by the default Warning If you use a port number that is already used by another service or application WinRoute will accept this port however the proxy server will not be able to ru...

Страница 122: ...te The name and password for authentication to the parent proxy server is sent with each HTTP request Only Basic authentication is supported The Forward to parent proxy server option specifies how Win...

Страница 123: ...articular objects will be performed upon a new request of the page The required object will be found in cache unless the TTL timeout has expired If it has expired a check for a new update of the objec...

Страница 124: ...removed automatically Cache size Size of the cache file on the disk Maximal cache size allowed is 2 GB 2047 MB Note 1 If 98 per cent of the cache is full a so called cleaning will be run this functio...

Страница 125: ...ccelerates connection to redirected web pages Under usual circumstances 302 Redirect responses are not cached HTTP proto col s return code 302 stands for temporary redirection such redirection can be...

Страница 126: ...ject or shorten its TTL i e for pages that are accessed daily Use the URL specific settings button to open a dialog where TTL for a particular URL can be defined Figure 8 17 HTTP cache specific settin...

Страница 127: ...l number of queries since the startup of the WinRoute Firewall Engine The efficiency of the cache depends especially on user behavior and habits if users visit certain webpages regularly if any websit...

Страница 128: ...object its size in bytes B and number of hours representing time left to the expiration To keep the list simple and well organized up to 100 items are displayed at a single page The Previous and Next...

Страница 129: ...8 5 HTTP cache 129...

Страница 130: ...r the other traffic where big data volumes are not transmitted but where for example response time may play a role 9 1 How the bandwidth limiter works and how to use it The Bandwidth Limiter module pr...

Страница 131: ...while ISPs usually use kilobits per second kbps kbit s or kb s or in megabits per second Mbps Mbit s or Mb s The conversion pattern is 1 KB s 8 kbit s A 256 kbit s line s speed is 32 KB s a 1 Mbit s...

Страница 132: ...details see chapter 15 1 Advanced Options Click on Advanced to define advanced Bandwidth Limiter parameters These parameters ap ply only to large data volume transfers They do not apply to users with...

Страница 133: ...ection of network services IP Addresses and Time Interval It may be also helpful to apply bandwidth limiter only to certain hosts for example it may be undesired to limit a mailserver in the local net...

Страница 134: ...ved in a connection belongs to the address group The other traffic will not be limited Apply to all except the selected address group the bandwidth limiter will not be applied if at least one IP addre...

Страница 135: ...er certain amount of data objects included at the page and then closes the connections Terminal services e g Telnet SSH etc typically use an open connection to transfer small data volumes in longer in...

Страница 136: ...data volume transfer since after 150 KB of data have been transferred before an only 5 sec long idleness interval and then only other 150 KB of data have been transmitted within the connection Figure...

Страница 137: ...n WinRoute can authenticate at the firewall regardless their access rights Users can connect Manually by opening the WinRoute web interface in their browser https server 4081 or http server 4080 the n...

Страница 138: ...he browser WinRoute detects whether the user has already authenticated If not WinRoute will re direct the user to the login page automatically After a successful login the user is automatically re dir...

Страница 139: ...trix Presentation Server orFast user switching on Windows XP Windows Server 2003 Windows Vista and Windows Server 2008 the firewall requires authentica tion only from the user who starts to work on th...

Страница 140: ...nutes of allowed user inactivity When this period ex pires the user is automatically logged out from the firewall The default timeout value is 120 minutes 2 hours This situation often comes up when a...

Страница 141: ...references avail able to all users Statistics viewed in the web interface available only to users possessing appropriate rights are addressed in chapter 21 11 1 Web Interface Parameters Configuration...

Страница 142: ...lso used in case that WinRoute needs redirect the browser to the login page for example if an unauthenticated user attempts to open a web page where authentication is required see chapters 10 1 and 12...

Страница 143: ...n URLs for pages of the Web interfaces However the standard HTTPS port 443 uses the Clientless SSL VPN interface see chapter 24 Therefore it cannot be used for secured web interface in the default con...

Страница 144: ...is key is then used for encryption and decipher any other traffic Generate or Import Certificate During WinRoute installation a testing certificate for the SSL secured Web interface is created automat...

Страница 145: ...icate ensures your clients security as it is unique and the identity of your server is guaranteed by it Clients will be warned only about the fact that the certificate was not issued by a trustworthy...

Страница 146: ...d for access to the WinRoute s web interface Any user with their own account in WinRoute can authenticate to the web interface regardless their access rights Note Authentication at the web interface i...

Страница 147: ...e overall tab for details see chapter 21 The My Account option available at the upper right corner can be used to switch to the user settings It is possible to return to the statistics page by the Sta...

Страница 148: ...ch conditions a special version of the login page is opened Figure 11 6 User authentication by password Authenticated user connecting to the web interface can continue their work in the interface afte...

Страница 149: ...5 1 information on usage of individual quotas percentage is also provided here Hint Week and month starting days can be changed in accounting period settings see chap ter 21 2 Figure 11 7 Transfer Quo...

Страница 150: ...be available it will not be blocked by the firewall If a certain feature is disabled in the parameters of a user account see chapter 15 1 a corresponding item within this page is inactive user cannot...

Страница 151: ...this item does not match the required server name Cross domain referer blocking protects users privacy the Referer item can be monitored to determine which pages are opened by a user Save settings To...

Страница 152: ...b Interface Language Preferences WinRoute s Web Interface is available in various languages In lower section of the Preferences tab it is possible to set language for the web interface Figure 11 11 Se...

Страница 153: ...for details see chapter 5 Figure 11 12 Web interface dial ups control The following information items are provided for each line RAS interface name of the interface in WinRoute see chapter 5 Current s...

Страница 154: ...ng access limitations according to URL substrings contained in URL addresses blocking of certain HTML items i e scripts ActiveX objects etc filtering based on classification by the ISS OrangeWeb Filte...

Страница 155: ...d FTP rules are applied also when the WinRoute s proxy server is used then condition 1 is irrelevant However FTP protocol cannot be filtered if the parent proxy server is used for details see chapter...

Страница 156: ...l information will be displayed Drop access will be denied and a blank page will be opened Redirect user will be redirected to the page specified in the rule Condition condition which must be met to a...

Страница 157: ...ect which users this rule will be applied on any user for all users no authentication required selected user s for selected users or and user groups who have authenticated to the firewall Note 1 It is...

Страница 158: ...a URL group refer to chapter 14 4 which the URL should match with is rated by ISS OrangeWeb Filter rating system the rule will be applied on all pages matched with a selected category by the ISS Oran...

Страница 159: ...group Selection of IP address group on which the rule will be applied Client source addresses are considered Use the Any option to make the rule independent of clients Click on the Edit button to edit...

Страница 160: ...ags are allowed in the restriction text If the plaintext format is not sufficient it is recommended to use redirection to another page see below A blank page user will not be informed why access to th...

Страница 161: ...odule can be set Use the Enable HTTP Log and Enable Web Log options to enable disable logging of HTTP queries opened web pages to the HTTP log see chapter 22 10 and to the Web log refer to chapter 22...

Страница 162: ...ngs on the WWW content scanning options tab are applied to traffic of hosts where users are not authenticated Special settings are used for users connected through the firewall Each authenticated user...

Страница 163: ...ge content Each page is sorted into predefined categories Access to the page will be either permitted or denied according to this classification ISS OrangeWeb Filter uses a dynamic worldwide database...

Страница 164: ...et and configured through the ISS OrangeWeb Filter tab in Configuration Content Filtering HTTP Policy Enable ISS OrangeWeb Filter use this option to enable disable the ISS OrangeWeb Filter module for...

Страница 165: ...acters even zero a ker o question mark represents just one symbol Description Comments for the items defined For reference only ISS OrangeWeb Filter Deployment To enable classification of Websites by...

Страница 166: ...ISS OrangeWeb Filter rating system is considered the key parameter The URL of each opened page will be rated by the ISS OrangeWeb Filter module Access to each page matching with a rating category incl...

Страница 167: ...monitor whether unlock queries were appropriate or not 12 5 Web content filtering by word occurrence WinRoute can also filter Web pages that include undesirable words This is the filtering principle D...

Страница 168: ...details see below On the URL Rules tab under Configuration Content Filtering HTTP Policy create a rule or a set of rules to allow access to the group of web pages which will be filtered by forbidden w...

Страница 169: ...le filtering web pages by word occurrence word filtering Word groups To define word groups go to the Word Groups tab in Configuration Content Filtering HTTP Policy the Forbidden Words tab Words are so...

Страница 170: ...ecified in Deny pages with weight over represents so called treshold weight value for each page i e total weight of all forbidden words found at the page If the total weight of the tested page exceeds...

Страница 171: ...ot match any rule access to the FTP server is implicitly allowed Note 1 The default WinRoute configuration includes a set of predefined rules for FTP traffic These rules are disabled by default These...

Страница 172: ...o disable the rule Rules can be disabled temporarily so that it is not necessary to remove rules and create identical ones later Note FTP traffic which does not match any FTP rule is allowed any traff...

Страница 173: ...be applied any server any FTP server server IP address of DNS name of a particular FTP server If an FTP server is defined through a DNS name WinRoute will automatically per form IP address resolution...

Страница 174: ...rule will be applied Client source addresses are considered Use the Any option to make the rule independent of clients Click on the Edit button to edit IP groups for details see chapter 14 1 Content A...

Страница 175: ...viruses according to scanning rules Use this option to enable disable scanning for viruses for FTP traffic which meet this rule This option is available only for allowing rules it is meaningless to ap...

Страница 176: ...ighly recommended to consider thoroughly which method of antivirus check should be used and to which protocols it should be applied and if possible and desired to try the configuration in the trial ve...

Страница 177: ...source address translation technology is used for Internet connection address translation must be set for this rule as well Note A corresponding protocol inspector can be also specified within the ser...

Страница 178: ...Error log refer to chapter 22 8 Each download update attempt sets the Last update check performed value to zero Warning To make the antivirus control as mighty as possible it is necessary that the an...

Страница 179: ...virus version s as well as information regarding the age of the current virus database will be displayed If the update check fails i e the server is not available an error will be reported and detaile...

Страница 180: ...t might happen that the connection over which the file is transferred is interrupted when the time limit is exceeded The optimal value of the file size depends on particular conditions the server s pe...

Страница 181: ...for HTTP and FTP traffic objects files of selected types are scanned The file just transmitted is saved in a temporary file on the local disk of the firewall WinRoute caches the last part of the trans...

Страница 182: ...ute host WinRoute administrators can later try to heal the file using an an tivirus program and if the file is recovered successfully the administrator can provide it to the user who attempted to down...

Страница 183: ...to be taken when the antivirus check cannot be applied to a file e g the file is compressed and password protected damaged etc Deny transmission of the file WinRoute will consider these files as infec...

Страница 184: ...ule HTTP FTP filename this option filters out certain filenames not entire URLs transmitted by FTP or HTTP e g exe zip etc If only an asterisk is used for the specification the rule will apply to any...

Страница 185: ...is detected the attachment is replaced by a notice informing about the virus found Note Warning messages can also be sent to specified email addresses e g to network admin istrators when a virus is d...

Страница 186: ...ter send them to their original addressees The quarantine subdirectory under the WinRoute directory is used for the quarantine the typical path is C Program Files Kerio WinRoute Firewall quarantine Me...

Страница 187: ...ck Disable TLS Secure mode will not be available Clients will automatically assume that the server does not support TLS and messages will be transmitted through an unencrypted connection Firewall will...

Страница 188: ...ion the antivirus check will be applied By default only files downloaded from a remote client to a local host are scanned to avoid slowdown local network is treated as trustworthy If the antivirus che...

Страница 189: ...s IP address ranges subnets or other groups Creating and Editing IP Address Groups You can define IP address groups in the Configuration Definitions Address Groups section Figure 14 1 WinRoute s IP gr...

Страница 190: ...eters of the new item related to the selected type Description Commentary for the IP address group This helps guide the administrator Note Each IP group must include at least one item Groups with no i...

Страница 191: ...ed edited and removed in Configuration Definitions Time Ranges Clicking on the Add button will display the following dialog window Name Name identification of the time interval Insert a new name to cr...

Страница 192: ...3 Services WinRoute services enable the administrator to define communication rules easily by permit ting or denying access to the Internet from the local network or by allowing access to the local ne...

Страница 193: ...ices Clicking on the Add or the Edit button will open a dialog for service definition Figure 14 6 Network service definition Name Service identification within WinRoute It is strongly recommended to u...

Страница 194: ...elow that will be used for this service Note Each inspector should be used for the appropriate service only Functionality of the service might be affected by using an inappropriate inspector Source Po...

Страница 195: ...be used in passive mode The FTP protocol inspector distinguishes that the FTP is active opens the appropriate port and redirects the connection to the appropriate client in the local network Due to t...

Страница 196: ...group of web pages you can simply define a URL group and assign permissions to the URL group rather than defining permissions to each individual URL rule A URL group rule is processed significantly fa...

Страница 197: ...URL group definition Name Name of the group in which the new item will be added Options of the Name entry are as follows select a group to which the URL will be added add a name to create a new group...

Страница 198: ...with www www www kerio com all URLs at the www kerio com server this string is equal to the www kerio com string sex all URL addresses containing the sex string sex cz all URL addresses containing suc...

Страница 199: ...tory domain i e password is not stored in the user account in WinRoute Obviously usernames in WinRoute must match with the usernames in the domain This method is not so demanding as far as the adminis...

Страница 200: ...nnection to the WinRoute administration in case of the network or domain server failure 15 1 Viewing and definitions of user accounts To define local user accounts import accounts to the local databas...

Страница 201: ...ptions are available for accounts in the local database Add Edit Remove Click Add Edit or Remove to create modify or delete local user accounts for details see chapter 15 2 It is also possible to sele...

Страница 202: ...account each user can be authenticated through the WinRoute s internal database Active Directory or Windows NT domain A basic administrator account is created during the WinRoute installation process...

Страница 203: ...15 2 Local user accounts 203 Figure 15 2 Local user accounts in WinRoute Step 1 basic information Figure 15 3 Creating a user account basic parameters Name Username used for login to the account...

Страница 204: ...ication User authentication see below Account is disabled Temporary blocking of the account so that you do not have to remove it Note For example this option can be used to create a user account for a...

Страница 205: ...tab to set parameters for user authentication through the Windows NT domain or and through the Active Directory If Active Directory authentication is set also for Windows NT domain then Active Directo...

Страница 206: ...annot edit them Full access to administration These users have full rights to administration and are equal to the Admin account If there is at least one user with the full access to the administration...

Страница 207: ...by a user account template Step 4 data transmission quota Daily and monthly limit for volume of data transferred by a user as well as actions to be taken when the quota is exceeded can be set in this...

Страница 208: ...Route see chapter 18 3 If you wish that your WinRoute administrator is also notified when a quota is almost exceeded set the alert parameters in Configuration Accounting For details refer to chapter 1...

Страница 209: ...t filter rules settings for individual users can be defined Global rules defined in the Content Rules tab in the Configuration Content Filtering HTTP Policy section are used as default when a new user...

Страница 210: ...be defined by a user account template Step 6 user s IP addresses Figure 15 8 Creating a new user account IP addresses for VPN client and automatic logins If a user works at a reserved workstation i e...

Страница 211: ...ess Using this method a fixed IP address can be assigned to a user when he she connects to the local network via the Kerio VPN Client It is possible to add this IP to the list of IP addresses from whi...

Страница 212: ...matic import of user accounts from Active Directory If Active Directory is used automatic import of user accounts can be applied Specific WinRoute parameters such as access rights content rules data t...

Страница 213: ...from the Windows NT do main or from Active Directory Each import of a user account covers creating of a local account with the identical name and the same domain authentication parameters Specific Win...

Страница 214: ...cted domain are listed When accounts are selected and the selection is confirmed the accounts are imported to the local user database 15 4 Active Directory domains mapping In WinRoute it is possible t...

Страница 215: ...ion regarding the operating system on the corre sponding domain server 3 For DNS configuration the same rules are followed as for mapping of a single domain DNS server must be a domain server of the d...

Страница 216: ...ecified server or to search for a domain server The automatic connection to the first server available increases reliability of the connection and eliminates problems in cases when a domain controller...

Страница 217: ...se automatic authentication in web browsers see chapter 25 2 For NTLM authentication name of the NT domain corresponding with the domain speci fied in the Active Directory domain is required For mappi...

Страница 218: ...the primary domain only define which users will be allowed to login to WinRoute i e to the web interface to the SSL VPN inter face to the WinRoute administration etc using the username without domain...

Страница 219: ...ithout the domain specified represents an account belonging to the local database However as long as possible it is recommended to remove all collisions by the conversion Note In case of user groups c...

Страница 220: ...ied criteria The searching is interactive each symbol typed or deleted defines the string which is evaluated immediately and all groups including the string in either Name or Description are viewed Th...

Страница 221: ...move users to from the group If user accounts have not been created yet the group can be left empty and users can be added during the account definition see chapter 15 1 Hint When adding new users you...

Страница 222: ...ck actions are traced in the Security log Users can dial RAS connection If the Internet connection uses dial up lines users of this group will be allowed to dial and hang up these lines in the Web int...

Страница 223: ...ote administration is available from all local hosts How to allow remote administration from the Internet In the following example we will demonstrate how to allow WinRoute remote administration from...

Страница 224: ...y rule 16 2 Update Checking WinRoute enables automatic check for new versions at the Kerio Technologies website When ever a new version is detected is download and installation is offered Open the Upd...

Страница 225: ...yet and they could endanger functionality of your networks etc Check now Click on this button to check for updates immediately If a new version is available detailed information links and download li...

Страница 226: ...Chapter 16 Remote Administration and Update Checks 226 Figure 16 3 Administration Console s welcome page informing that a new version is available...

Страница 227: ...o one or multiple P2P networks The following restrictions can be applied to users of P2P networks i e to hosts on which clients of such networks are run Blocking options it is possible to block access...

Страница 228: ...es time when the restriction for the particular host will be applied The P2P Eliminator module enables traffic for this user automatically when the specified time expires The time of disconnection sho...

Страница 229: ...network is detected e g the WinRoute administrator define the alert on the Alerts Settings tab of the Configuration Account ing section For details see chapter 19 3 Parameters for detection of P2P net...

Страница 230: ...ist of so called secure services These services will be excluded from detection of P2P traffic The Define services button opens a dialog where services can be define that will not be treated as traffi...

Страница 231: ...any other interface is correct Detailed information on networks connected to individual interfaces is acquired in the routing table The Anti Spoofing function can be configured in the Anti Spoofing f...

Страница 232: ...ction count limits protects the firewall the WinRoute host from flooding and it can reduce undesirable activities by worms and Trojan horses Note This feature does not limit number of connections comi...

Страница 233: ...the route p command Note 1 In the Internet connection failover mode see chapter 6 3 only the current default route is shown depending on which Internet interface is currently active 2 In case of multi...

Страница 234: ...amically upon connecting and disconnecting of VPN clients or upon creating and removing of VPN tunnels VPN routes cannot be created modified nor removed by hand Inactive routes routes which are curren...

Страница 235: ...be in the same IP subnet as the selected interface Metric Distance of the destination network The number stands for the number of routers that a packet must pass through to reach the destination netw...

Страница 236: ...e restored automatically There are many methods that can be used to create persistent routes the methods vary according to operating system in some systems the route p or the route command called from...

Страница 237: ...through ports mapped with UPnP will be recorded in the Filter log see chapter 22 9 Log connections If this option is enabled all packets passing through ports mapped with UPnP will be recorded in the...

Страница 238: ...server tab in Configuration Advanced Options Figure 18 5 SMTP settings reports sending Server Name or IP address of the server Note If available we recommend you to use an SMTP server within the loca...

Страница 239: ...resolved warning message is displayed in the SMTP Relay tab until the IP address is not found If the warning is still displayed this implies that an invalid non existent DNS name is specified or the D...

Страница 240: ...on about certain activity is reported e g error or warn ing reports debug information etc Each item is represented by one row starting with a timestamp date and time of the event In all language versi...

Страница 241: ...ss of the host from which the user is connecting from Login time Date and time of the recent user login to the firewall Login duration Monitors length of the connection This information is derived fro...

Страница 242: ...or Firefox SeaMonkey core version 1 3 or later is used VPN client user has connected to the local network using the Kerio VPN Client for details see chapter 23 Note Connections are not displayed and t...

Страница 243: ...ation in the Active Hosts window Informa tion can be refreshed in the interval from 5 seconds up to 1 minute or the auto refresh function can be switched off No refresh Logout user Immediate logout of...

Страница 244: ...conds when the activity was detected Activity Event Type of detected activity network communication WinRoute distinguishes between the following activities SMTP POP3 WWW HTTP traffic FTP Streams real...

Страница 245: ...the Connections tab you can view detailed information about connections established from the selected host to the Internet and in the other direction e g by mapped ports UPnP etc The list of connecti...

Страница 246: ...to enable disable showing of DNS names instead of IP ad dresses in the Source and Destination columns If a DNS name for an IP address cannot be resolved the IP address is displayed You can click on th...

Страница 247: ...on the selected period The green curve represents volume of incoming data download in a selected time period while the area below the curve represents the total vol ume of data transferred in the per...

Страница 248: ...individual messages so called datagrams Periodic data exchange is monitored in this case Figure 19 7 Overview of all connections established via WinRoute One connection is represented by each line of...

Страница 249: ...nformation in Connections is refreshed automatically within a user defined interval or the Refresh button can be used for manual refreshing Options of the Connections Dialog The following options are...

Страница 250: ...atic refreshing of the information in the Connections window Informa tion can be refreshed in the interval from 5 seconds up to 1 minute or the auto refresh function can be switched off No refresh Man...

Страница 251: ...of direction of IP addresses out SNAT or in DNAT For details refer to chapter 7 19 3 Alerts WinRoute enables automatic sending of messages informing the administrator about impor tant events This make...

Страница 252: ...ding host Low free disk space warning this alert warns the administrator that the free space of the WinRoute host is low under 11 per cent of the total disk capacity WinRoute needs enough disk space f...

Страница 253: ...ne must use an appropriate email address e g number provider com Sending of SMS to telephone numbers for example via GSM gateways connected to the WinRoute host is not supported To Email address of th...

Страница 254: ...p If alert templates in the language are not available English version is used instead Email and SMS alerts are always in English Note In the current WinRoute version alerts are available only in Engl...

Страница 255: ...ername virus name etc Click an event to view detailed information on the item including a text description defined by templates under console details see above in the bottom section of the window Figu...

Страница 256: ...ividual users during various time periods today this week this month and total The Quota column provides usage of transfer quota by a particular user in percents see chap ter 15 1 Colors are used for...

Страница 257: ...stats cfg file in the WinRoute directory This implies that this data will be saved the next time the WinRoute Firewall Engine will be started User Quota dialog options Right click on the table or on a...

Страница 258: ...tomatic refreshing of the information on the User Statistics tab Informa tion can be refreshed in the interval from 5 seconds up to 1 minute or the auto refresh function can be switched off No refresh...

Страница 259: ...tem data from the Internet was received through this interface at the LAN interface as OUT data was sent to the local network through this interface Note Interface statistics are saved into the stats...

Страница 260: ...ected to can be removed Whenever a removed interface is activated again upon connection of the VPN tunnel etc it is added to the statistics automatically Graphical view of interface load The traffic p...

Страница 261: ...forming about average throughput at the interface Example Suppose the 1 day interval is selected Then an impulse unit is represented by 5 minutes This means that every 5 minutes an average traffic spe...

Страница 262: ...ample to figure out exact numbers of Internet connection costs per user 3 For correct functionality of the Kerio StaR interface it is necessary that the WinRoute host s operating system supports all l...

Страница 263: ...ored by the proxy server itself see chapter 8 4 Note HTTPS traffic is encrypted and therefore it is impossible to monitor visited sites and categories Only volume of transferred data is included in th...

Страница 264: ...r statistics and quota Under certain circumstances too many connected users great volume of transmitted data low capacity of the WinRoute host etc viewing of statistics may slow WinRoute and data tran...

Страница 265: ...o StaR interface see chapter 20 Figure 21 2 Kerio StaR advanced options The Show user names in statistics by option enables select a mode of how users and their names will be displayed in individual u...

Страница 266: ...red and included in statistics and quota e g only in working hours Without this period no traffic will be included in the statistics and in the quota neither For details on time intervals see chapter...

Страница 267: ...ps refer to chapter 14 1 URL exceptions can be applied only to unsecured web pages the HTTP protocol Connec tions to secured pages the HTTPS protocol are encrypted and URL of such pages cannot be dete...

Страница 268: ...r 11 1 This guarantees function of the link from the WinRoute host and from the local network To make Internet Usage Statistics link work also for remote administration over the Internet name of the p...

Страница 269: ...t and table of top users having visited the greatest number of web pages of the domain is provided Web Categories the top ten most frequently visited web categories in accordance with the ISS OrangeWe...

Страница 270: ...oolbar at the top of the Kerio StaR page Figure 21 6 Kerio StaR toolbar and accounting periods The toolbar includes buttons for fast switching between accounting periods daily weekly monthly Arrows pr...

Страница 271: ...esponding textfield Note Under certain circumstances an information may be reported that this period will be rounded to whole weeks or months In such a case the real rounded period for the statistics...

Страница 272: ...on the current period day the chart shows traffic by hours week or month the chart shows traffic by days For custom periods up to 2 days the chart shows traffic by hours up to 5 weeks the chart shows...

Страница 273: ...transferred data The chart shows part of the most active users in the total volume of transferred data in the selected period Hover a user s name in the chart by the mouse pointer to see volume of dat...

Страница 274: ...col The chart of used protocols shows part of individual protocols i e their classes in the total volume of data transferred in the selected accounting period Hover a protocol name with the mouse poin...

Страница 275: ...Messenger etc Other any traffic which does not belong to any of the previously described categories 1 The No data available alert informs that no data is available in WinRoute s database for the sele...

Страница 276: ...Advanced button see chapter 21 2 When a user is selected full name username and email address are displayed if defined in the user account The View User s Activity link switches StaR to the Users Acti...

Страница 277: ...l available information about the se lected user username email address etc Figure 21 17 User s Activity user info Under this header all detected activities of this user in the selected time period ar...

Страница 278: ...activities are sorted in a few categories Under the title of each category summary information total number of connections total volume of transferred data etc is provided followed by detailed overvie...

Страница 279: ...ssible to simply click on the link to open the page in a new window or a new tab of the browser If the page has no title it will not be included in the activity list Connections to secured pages HTTPS...

Страница 280: ...Sent Received messages number of messages transferred within one connec tion name or IP address of the incoming outgoing email server used protocol and volumes of data transferred in each direction N...

Страница 281: ...tion any traffic between the local network and the Internet within which more than 2 MB of data was transferred and which cannot be sorted in another category e g in Multimedia The record includes nam...

Страница 282: ...ed by volume of transferred data The table provides an information of part of the user in the total volume of the transferred data It is possible to use the table to view all transferred data or only...

Страница 283: ...he chart at the top of the tab shows top ten visited web domains The number in the chart refers to number of visits of all web pages of the particular domain in the selected accounting period Note The...

Страница 284: ...he total visit rate of the particular domain Hovering of a user s name by the mouse pointer shows total number of web pages visited by the user Figure 21 25 Chart of top active users for the particula...

Страница 285: ...ISS OrangeWeb Filter Statistics of categories provide more general information of visited websites For example the information help figure out how much users browse websites not related to their work...

Страница 286: ...particular category Hovering of a user s name by the mouse pointer shows total number of the user s requests to the particular web category Figure 21 28 Chart of top users for a selected web category...

Страница 287: ...full names are shown in charts or usernames if the full name is not defined in the account of the particular user Note Statistics of visited categories might be affected by wrong categorization of som...

Страница 288: ...ministration Console Individual logs can be rotated after a certain time period or when a threshold of the file size is reached log files are stored and new events are logged to a new empty file Admin...

Страница 289: ...will be rotated regularly The file will be stored and a new log file will be started in selected intervals Weekly rotation is performed at the edge of the calendar week depending on settings in the op...

Страница 290: ...he particular file will be rotated whenever one of these conditions is met 2 Setting of statistics and quotas accounting period does not affect log rotation see chap ter 21 2 Rotation is always bound...

Страница 291: ...for the particular WinRoute log depends on the Syslog server Severity Severity of logged events depends on the Syslog server 22 2 Logs Context Menu When you right click inside any log window a contex...

Страница 292: ...the file name is set The file extension is set automatically in accor dance with the format selected Format logs can be saved as plaintext or in HTML If the HTML format is used colors will be saved f...

Страница 293: ...ot be refreshed anymore Note If a user with read rights only is connected to WinRoute see chapter 15 1 the Log settings and Clear log options are missing in the log context menu Only users with full r...

Страница 294: ...ng one or multiple strings matching the regular expression will be highlighted The Description item is used for reference only It is recommended to describe all created rules well it is recommended to...

Страница 295: ...ction for details see chapter 19 3 22 4 Config Log The Config log stores a complete communication history between Administration Console and the WinRoute Firewall Engine the log allows you to find out...

Страница 296: ...g table 3 Other changes in configuration A typical example of this record type is the change of traffic rules When the user hits Apply in Configuration Traffic policy a complete list of current traffi...

Страница 297: ...cation layer service recognized by destination port If the corresponding service is not defined in WinRoute refer to chapter 14 3 the Service item is missing in the log User james name of the user con...

Страница 298: ...defined log expression Figure 22 8 Expression for traffic monitored in the debug log The expression must be defined with special symbols After clicking on the Help button a brief description of possi...

Страница 299: ...Protocol inspection reports from individual WinRoute s protocol inspectors sorted by protocol Kerio VPN detailed information on traffic within Kerio VPN VPN tunnels VPN clients encryptions exchange o...

Страница 300: ...interface name client type IP address and username The second event is logged upon a successful hang up The log provides information about interface name time of connection connection time volume of...

Страница 301: ...2008 15 59 08 DNS query for www microsoft com packet UDP 192 168 1 2 4579 195 146 100 100 53 initiated dialing of line Connection 15 Mar 2008 15 59 12 Line Connection disconnected The first record re...

Страница 302: ...with low level driver problems when initializing system libraries services con figuration databases etc 6000 6999 filesystem errors cannot open save delete file 7000 7999 SSL errors problems with key...

Страница 303: ...L rule log message 18 Apr 2008 13 39 45 ALLOW URL McAfee update 192 168 64 142 james HTTP GET http update kerio com nai antivirus datfiles 4 x dat 4258 zip 18 Apr 2008 13 39 45 date and time when the...

Страница 304: ...TCP only 22 10 Http log This log contains all HTTP requests that were processed by the HTTP inspection module see section 14 3 or by the built in proxy server see section 8 4 The log has the standard...

Страница 305: ...P protocol 0 size of the transferred object file in bytes 4 count of HTTP requests transferred through the connection An example of Http log record in the Squid format 1058444114 733 0 192 168 64 64 T...

Страница 306: ...66 1864 195 39 55 10 445 flags SYN seq 3819654104 ack 0 win 16384 tcplen 0 packet from packet direction either from i e sent via the interface or to i e received via the interface LAN interface name s...

Страница 307: ...io Administration Console WebAdmin web administration interface WebAdmin SSL secure web administration interface Proxy proxy server user authentication IP address IP address of the computer from which...

Страница 308: ...oblems e g HTTP rules require user authen tication but the WWW interface is not enabled 3000 3999 warning from individual WinRoute modules e g DHCP server anti virus check user authentication etc 4000...

Страница 309: ...ce For administrators the Web log is easy to read and it provides the possibility to monitor which Websites were opened by each user How to read the Web Log 24 Apr 2008 10 29 51 192 168 44 128 james K...

Страница 310: ...ons Identities of individual clients are authenticated against a username and password transmitted also by secured connection so that unauthorized clients cannot connect to local networks Remote conne...

Страница 311: ...f remote endpoints of VPN tunnels and of remote clients using Kerio VPN Client Note Connection to the VPN server from the Internet must be first allowed by traffic rules For details refer to chapters...

Страница 312: ...ubnet By default upon the first start up after installation WinRoute automatically selects a free subnet which will be used for VPN Under usual circumstances it is not necessary to change the default...

Страница 313: ...ver certificate This certificate is used for ver ification of the server s identity during creation of a VPN tunnel for details refer to chapter 23 3 The VPN server in WinRoute uses the standard SSL c...

Страница 314: ...disabled refer to chapter 8 1 the option is not available Use specific DNS servers primary and secondary DNS servers specified through this option will be set for VPN clients If another DNS server th...

Страница 315: ...d port is really free view the Error log to see whether an error of this type has not been reported Custom Routes Other networks to which a VPN route will be set for the client can be specified in thi...

Страница 316: ...icense should be bought Basic configuration of traffic rules for VPN clients Figure 23 6 Common traffic rules for VPN clients The first rule allows connection to the VPN server in WinRoute from the In...

Страница 317: ...nfiguration of VPN servers refer to chapter 23 1 Definition of a tunnel to a remote server VPN tunnel to the server on the other side must be defined at both ends Use the Add VPN tunnel option in the...

Страница 318: ...N tunnel is being created identity of the remote endpoint is authenticated through the fingerprint of its SSL certificate If the fingerprint does not match with the fingerprint specified in the config...

Страница 319: ...ings DNS must be set properly at both sends of the tunnel so that it is possible to connect to hosts in the remote network using their DNS names One method is to add DNS records of the hosts to the ho...

Страница 320: ...ich method will be used to add routes provided by the remote endpoint of the tunnel to the local routing table as well as define custom routes to remote networks The Kerio VPN routing issue is describ...

Страница 321: ...ture protects tunnels from disconnection by other firewalls or network devices between ends of tunnels Traffic Policy Settings for VPN Once the VPN tunnel is created it is necessary to allow traffic b...

Страница 322: ...if a routing table at any side of the VPN tunnel includes invalid routes e g specified by the administrator these routes are also interchanged This might make traffic with some remote subnets impossi...

Страница 323: ...with identical IP ranges is not allowed other routes i e routes to local subnets at remote ends of VPN tunnels excluding the cases described above all other VPN and all VPN clients are exchanged Note...

Страница 324: ...by a VPN tunnel using the Kerio VPN VPN clients will be allowed to connect to the headquarters network The server default gateway of the headquarters uses the public IP address 63 55 21 12 DNS name i...

Страница 325: ...ute a stand alone license for the corresponding num ber of users is required For details see chapter 4 2 Configure and test connection of the local network to the Internet Hosts in the local net work...

Страница 326: ...ork remote network and VPN clients and set desirable access restrictions In this network configuration all desirable restric tions can be set at the headquarter s server Therefore only traffic between...

Страница 327: ...us of the Create rules for Kerio Clientless SSL VPN option is irrelevant this example does not include Clientless SSL VPN interface s issues Figure 23 14 Headquarter creating default traffic rules for...

Страница 328: ...ecify DNS servers to which DNS queries which are not addressed to the company com domain will be for warded primary and secondary DNS server of the Internet connection provider by default Figure 23 16...

Страница 329: ...1 as a primary DNS server also for the other hosts Note For proper functionality of DNS the DNS database must include records for hosts in a corresponding local network To achieve this save DNS names...

Страница 330: ...Chapter 23 Kerio VPN 330 Figure 23 19 Headquarters VPN server configuration For a detailed description on the VPN server configuration refer to chapter 23 1...

Страница 331: ...dquarter definition of VPN tunnel for a filial office 6 Customize traffic rules according to the restriction requirements In the Local Traffic rule remove all items except those belonging to the local...

Страница 332: ...default rule see chapter 7 3 Configuration of a filial office 1 Install WinRoute version 6 0 0 or later at the default gateway of the branch office server 2 Use Network Rules Wizard see chapter 7 1 to...

Страница 333: ...Figure 23 24 Filial office default traffic rules for Kerio VPN When the VPN tunnel is created customize these rules according to the restriction re quirements Step 6 3 Customize DNS configuration as f...

Страница 334: ...ts in a corresponding local network To achieve this save DNS names and IP addresses of local hosts into the hosts file if they use IP addresses or enable cooperation of the DNS Forwarder with the DHCP...

Страница 335: ...office 335 Figure 23 27 Filial office TCP IP configuration at a firewall s interface connected to the local network Figure 23 28 Filial office VPN server configuration 5 Create an active endpoint of...

Страница 336: ...ll be reported in the Adapter info column for both ends of the tunnel If the connection cannot be established we recommend you to check the configuration of the traffic rules and test availability of...

Страница 337: ...whether the same subnet is not used at both ends of the tunnel If an IP address is tested successfully and an error is reported Unknown host when a corre sponding DNS name is tested then check configu...

Страница 338: ...he fixed IP address 63 55 21 12 DNS name is gw newyork company com The server of one filial uses the IP address 115 95 27 55 DNS name gw london company com the other filial s server uses a dynamic IP...

Страница 339: ...k To achieve this save DNS names and IP addresses of local hosts into the hosts file if they use IP addresses or enable cooperation of the DNS Forwarder with the DHCP server in case that IP addresses...

Страница 340: ...e whether the same subnet is not used at both ends of the tunnel If an IP address is tested successfully and an error is reported Unknown host when a cor responding DNS name is tested then check conf...

Страница 341: ...will create rules for connection of the VPN server as well as for communication of VPN clients with the local network through the firewall Figure 23 34 Headquarter default traffic rules for Kerio VPN...

Страница 342: ...ute host s inbound interface connected to the local network at the remote side of the tunnel Figure 23 36 Headquarter DNS forwarding settings Set the IP address of this interface 10 1 1 1 as a primary...

Страница 343: ...23 6 Example of a more complex Kerio VPN configuration 343 Figure 23 37 Headquarter TCP IP configuration at a firewall s interface connected to the local network...

Страница 344: ...is available Note The VPN network and Mask entries now include an automatically selected free sub net Check whether this subnet does not collide with any other subnet in the headquarters or in the fi...

Страница 345: ...gerprint of the VPN server of the London filial office as a specification of the fingerprint of the remote SSL certificate Figure 23 39 Headquarter definition of VPN tunnel for the London filial On th...

Страница 346: ...cribed here is applied see figure 23 31 it is un recommended to use automatically provided routes In case of an automatic exchange of routes the routing within the VPN is not be ideal for example any...

Страница 347: ...unnel connected to the Paris filial Figure 23 41 The headquarters definition of VPN tunnel for the Paris filial On the Advanced tab select the Use custom routes only option and set routes to the sub n...

Страница 348: ...Chapter 23 Kerio VPN 348 Figure 23 42 The headquarters routing configuration for the tunnel connected to the Paris filial Figure 23 43 Headquarter final traffic rules...

Страница 349: ...the wizard select the Create rules for Kerio VPN server option setting of the Create rules for Kerio Clientless SSL VPN option is not regarded here Figure 23 44 The London filial no restrictions are...

Страница 350: ...he London filial office DNS forwarder configuration Enable the Use custom forwarding option and define rules for names in the company com and filial2 company com domains To specify the forwarding DNS...

Страница 351: ...n the filials If it does specify a free subnet Figure 23 49 The London filial office VPN server configuration For a detailed description on the VPN server configuration refer to chapter 23 1 5 Create...

Страница 352: ...ter 23 Kerio VPN 352 our example the ping gw newyork company com command can be used at the London branch office server Figure 23 50 The London filial office definition of VPN tunnel for the headquart...

Страница 353: ...23 6 Example of a more complex Kerio VPN configuration 353 Figure 23 51 The London filial routing configuration for the tunnel connected to the headquarters...

Страница 354: ...SSL certificate Figure 23 52 The London filial office definition of VPN tunnel for the Paris filial office On the Advanced tab select the Use custom routes only option and set routes to Paris local ne...

Страница 355: ...e of a more complex Kerio VPN configuration 355 Figure 23 53 The London filial routing configuration for the tunnel connected to the Paris branch office Figure 23 54 The London filial office final tra...

Страница 356: ...e access from the local network to the Internet is not restricted i e that access to all services is allowed in step 4 Figure 23 55 The Paris filial no restrictions are applied to accessing the Intern...

Страница 357: ...company com domains Specify the server for DNS forwarding by the IP address of the remote firewall host s interface i e interface connected to the local network at the other end of the tunnel Figure...

Страница 358: ...cted free sub net Check whether this subnet does not collide with any other subnet in the headquarters or in the filials If it does specify a free subnet Figure 23 59 The Paris filial office VPN serve...

Страница 359: ...l for the headquarters On the Advanced tab select the Use custom routes only option and set routes to headquar ters local networks At this point connection should be established i e the tunnel should...

Страница 360: ...Chapter 23 Kerio VPN 360 Paris branch office server Figure 23 61 The Paris filial routing configuration for the tunnel connected to the headquarters...

Страница 361: ...ice definition of VPN tunnel for the London filial office On the Advanced tab select the Use custom routes only option and set routes to London s local networks Like in the previous step check whether...

Страница 362: ...lial office final traffic rules connect to this branch office VPN test The VPN configuration has been completed by now At this point it is recommended to test reachability of the remote hosts in the o...

Страница 363: ...Places system tool it does not enable access to web servers or other services in a remote network SSL VPN is suitable for an immediate access to shared files in remote networks in such envi ronments w...

Страница 364: ...cre ating importing a certificate is identical as the one for WinRoute s interface or the VPN server addressed in detail in chapter 11 1 Hint Certificates for particular server name issued by a trustw...

Страница 365: ...particular domain at the login page by username and password is required Any operations with shared files and folders are performed under the identity of the user currently logged in Figure 24 4 Clien...

Страница 366: ...page an entry is available where location of the demanded shared item so called UNC path can be specified for example server folder subfolder The path may be specified regularly even if folder or and...

Страница 367: ...fault configuration only files uploaded to hosts in remote private networks are scanned For connection speed reasons files downloaded to local hosts from remote networks are not scanned by antiviruses...

Страница 368: ...to enter a new path Figure 24 7 Clientless SSL VPN new folder Use the Edit button to select a new path folder where the new folder will be created use a bookmark select it in the folder tree Renaming...

Страница 369: ...path folder or select it in the tree or it is also possible to use a bookmark see above Moving of files folders It is also possible to remove any number of folders or and files as well as all files an...

Страница 370: ...in the SSL VPN interface is set Destination folder can be specified manually selected in the folder tree or loaded from a bookmark see above Use the File entry to specify full path to a local file Fi...

Страница 371: ...blems you have already figured out Configuration files All WinRoute configuration data is stored in the following files under the same directory where WinRoute is installed the typical path is C Progr...

Страница 372: ...status information is saved Files Cache CFS Current ISS OrangeWeb Filter s cache data see chapter 12 4 dnscache cfg DNS files stored in DNS forwarder s cache see chapter 8 1 leases cfg IP addresses as...

Страница 373: ...is being reinstalled follow these steps 1 Perform WinRoute installation on a required machine refer to chapter 2 3 2 Stop WinRoute Firewall Engine 3 Into the WinRoute directory the typical path is C...

Страница 374: ...DEVICE 7AC918EE 3B85 5A0E 8819 CBA57D4E11C7 variable variable name Name LAN variable listitem listitem variable name Id DEVICE 6BF377FB 3B85 4180 95E1 EAD57D5A60A1 variable variable name Name Local Ar...

Страница 375: ...2 The server i e the WinRoute host belongs to a corresponding Windows NT or Active Directory Windows 2000 2003 2008 domain 3 Client host belongs to the domain 4 User at the client host is required to...

Страница 376: ...tory domain the corresponding NT domain must be set in the particular domain s configuration on the Active Directory tab for details refer to chapter 15 4 Figure 25 3 Setting of NTLM authentication fo...

Страница 377: ...e login dialog is displayed only if NTLM authentication fails e g when user account for user authenticated at the client host does not exist in WinRoute Warning One reason of a NTLM authentication fai...

Страница 378: ...ect connection proxy server is not set in the browser Look up the network automatic ntlm auth trusted uris parameter Use the WinRoute host s name as a value for this parameter e g server or server com...

Страница 379: ...rowser Web browsers allow to set the proxy server either globally or for individual protocols In our example configuration of Internet Explorer 6 0 focused configuration of any other browsers is almos...

Страница 380: ...P New Connection option available in the main menu or creating a bookmark for repeated connec tions Net FTP Connect The proxy server must be configured individually for each FTP connection or for each...

Страница 381: ...receives a packet from the local network it will compare it with the system routing table If the packets goes out to the Internet no record will be found since there is no default route in the routin...

Страница 382: ...use it is initiated by WinRoute low lever driver This driver holds packets and decides whether the line should be dialed or not If the line is disconnected and a packet is sent from the local host to...

Страница 383: ...r must be defined by DNS name so that the application can create a DNS query In the operating system set the primary DNS server to the IP address of the fire wall In Windows go to TCP IP properties in...

Страница 384: ...when demanded In Actions for DNS name you can select either the Dial or the Ignore option Use the second option to block dialing of the line in response to a request for this DNS name The Dial action...

Страница 385: ...tivate the Enable dialing for local DNS names option in the Other settings tab to enable this at the top of the Dial On Demand dialog window In other cases it is recommended to leave the option disabl...

Страница 386: ...ection which will provide you with a few guidelines 26 1 Essential Information To send a request to our technical support use the contact form at http support kerio com To be able to help you solve yo...

Страница 387: ...ype and license number Please specify whether you have purchased any WinRoute license or if you use the trial version Requirements of owners of valid licenses are always preferred 26 2 Tested in Beta...

Страница 388: ...ct form http support kerio com United Kingdom Kerio Technologies UK Ltd Enterprise House Vision Park Histon Cambridge CB24 9ZR Tel 44 1223 202 130 http www kerio co uk Contact form http support kerio...

Страница 389: ...S are Safari are trademarks or registered trademarks of Apple Computer Inc Linux is registered trademark of Linus Torvalds Mozilla and Firefox are registered trademarks of Mozilla Foundation KerberosT...

Страница 390: ...License MPL Original source code can be downloaded from http h323plus org libcurl Copyright 1996 2008 Daniel Stenberg libiconv Copyright Free Software Foundation Inc Author Bruno Haible WinRoute incl...

Страница 391: ...2001 2004 The PHP Group Copyright 1998 2002 HappySize Inc All rights reserved Prototype Copyright Sam Stephenson Homepage http prototype conio net ptlib This product includes unmodified version of the...

Страница 392: ...irtual server keeps running Connections A virtual bidirectional communication channel between two hosts See also TCP DDNS DDNS Dynamic Domain Name System is DNS with the feature of automatic update of...

Страница 393: ...nt This mode is suitable for cases where the firewall is at the server s side however it is not supported by some clients e g by web browsers passive mode data connection is established also by the cl...

Страница 394: ...tunnel mode or for encryption of traffic between two hosts so called transport mode Kerberos Kerberos is a system used for secure user authentication in network environments It was developed at the M...

Страница 395: ...ce P2P network Peer to Peer P2P networks are world wide distributed systems where each node can represent both a client and a server These networks are used for sharing of big volumes of data this sha...

Страница 396: ...e g FTP in the active mode when data connection to a client is established by a server and to filter traffic by the corresponding protocol e g limited access to Web pages classified by URLs anti viru...

Страница 397: ...P protocol Nowadays it is used by almost all standard Internet protocols SMTP POP3 IMAP LDAP etc At the beginning of communication an encryption key is requested and transferred using asymmetrical enc...

Страница 398: ...ich transfers data through individ ual messages so called datagrams It does not establish new connections nor it provides reliable and sequentional data delivery nor it enables error correction or dat...

Страница 399: ...bandwidth limiter 130 configuration 130 detection principle 135 beta version 387 BOOTP 116 C cache directory 124 DNS 103 size 124 URL exceptions 126 certificate SSL VPN 364 VPN server 313 Web Interfac...

Страница 400: ...t connection 49 back up 58 dial on demand 53 381 leased line 50 load balancing 62 unintentional dialing 383 IPSec 84 ISS OrangeWeb Filter 163 deployment 165 parameters configuration 164 website catego...

Страница 401: ...tration at the Kerio website 40 of purchased product 36 trial version 32 relay SMTP server 238 routing table 233 static routes 234 S services 79 192 SIP 195 SSL VPN 363 antivirus check 367 bookmarks 3...

Страница 402: ...main mapping 214 in traffic rules 95 local 201 202 mapped 201 templates 201 204 user authentication 137 authentication methods 204 automatic login 210 configuration 138 in Active Directory 212 in NT d...

Страница 403: ...403 security center 18 Windows Firewall 17 18 WinRoute Engine Monitor 18 19 WinRoute Firewall Engine 18 wizard configuration 22 traffic rules 67...

Страница 404: ...404...

Результаты поиска

Содержание Firewall6

Отзывы:

Похожие инструкции для Firewall6

Бренды по названию

Популярные бренды

Kerio Tech Firewall6, Руководство администратора

Результаты поиска

Содержание Firewall6

Отзывы:

Похожие инструкции для Firewall6

Бренды по названию

Популярные бренды