background image

23.5 Example of Kerio VPN configuration: company with a filial office

297

Routes provided automatically

Unless any custom routes are defined, the following rules apply to the interchange of routing

information:

default routes as well as routes to networks with default gateways are not exchanged

(default gateway cannot be changed for remote VPN clients and/or for remote end-

points of a tunnel),

routes to subnets which are identical for both sides of a tunnel are not exchanged

(routing of local and remote networks with identical IP ranges is not allowed).

other routes (i.e. routes to local subnets at remote ends of VPN tunnels excluding the

cases described above, all other VPN and all VPN clients) are exchanged.

Note:

As implied from the description provided above, if two VPN tunnels are created, com-

munication between these two networks is possible. The traffic rules can be configured so that

connection to the local network will be disabled for both these remote networks.

Update of routing tables

Routing information is exchanged:

when a VPN tunnel is connected or when a VPN client is connected to the server,

when information in a routing table at any side of the tunnel (or at the VPN server) is

changed,

periodically, every 10 minutes. The timeout starts upon each update (regardless of

the update reason).

23.5 Example of Kerio VPN configuration: company with a filial office

This chapter provides a detailed exemplary description on how to create an encrypted tunnel

connecting two private networks using the

Kerio VPN

.

This example can be easily customized. The method described can be used in cases where no

redundant routes arise by creating VPN tunnels (i.e. multiple routes between individual private

networks). Configuration of VPN with redundant routes (typically in case of a company with

two or more filials) is described in chapter

23.6

.

Note:

This example describes a more complicated pattern of VPN with access restrictions for

individual local networks and VPN clients. An example of basic VPN configuration is provided

in the

Kerio WinRoute Firewall — Step By Step Configuration

document.

Specification

Supposing a company has its headquarters in New York and a branch office in London. We

intend to interconnect local networks of the headquarters by a VPN tunnel using the

Kerio

VPN

. VPN clients will be allowed to connect to the headquarters network.

Содержание KERIO WINROUTE FIREWALL 6

Страница 1: ...Kerio WinRoute Firewall 6 Administrator s Guide Kerio Technologies s r o...

Страница 2: ...Firewall User s Guide The Kerio VPN Client application is described in a stand alone document Kerio VPN Client User s Guide For current version of the product go to http www kerio com firewall downloa...

Страница 3: ...n 27 3 1 Administration Console the main window 28 3 2 Administration Console view preferences 31 4 Product Registration and Licensing 32 4 1 License types and number of users 32 4 2 License informati...

Страница 4: ...5 10 User Authentication 137 10 1 Firewall User Authentication 137 11 Web Interface 141 11 1 Web interface preferences 141 11 2 User authentication at the web interface 146 12 HTTP and FTP filtering 1...

Страница 5: ...r settings 224 18 1 Routing table 224 18 2 Universal Plug and Play UPnP 227 18 3 Relay SMTP server 229 19 Status Information 231 19 1 Active hosts and connected users 231 19 2 Network connections over...

Страница 6: ...7 23 6 Example of a more complex Kerio VPN configuration 310 24 Kerio Clientless SSL VPN Windows 335 24 1 Configuration of WinRoute s SSL VPN 335 24 2 Usage of the SSL VPN interface 337 25 Specific se...

Страница 7: ...functionality of the Internet connection and of traffic among hosts within the local network before you run the WinRoute installation This test will reduce possible problems with debugging and error...

Страница 8: ...s Automatic configuration activate the Obtain an IP address automatically option Do not set any other parameters Manual configuration define IP address subnet mask default gateway address DNS server a...

Страница 9: ...guration of crucial WinRoute parameters the interface traffic policy HTTP and FTP filtering rules user accounts and groups etc However the Kerio Administration Console is still available and allow set...

Страница 10: ...ction NAT WinRoute can detect if NAT is active in the RRAS service if it is a warning is dis played In reaction to the alert message the server administrator should disable NAT in the RRAS configurati...

Страница 11: ...ail protocols WinRoute also provides with this feature which may cause collisions Therefore it is recommended to install a server version of your antivirus program on the WinRoute host The server vers...

Страница 12: ...ollowing browsers can be used to access the WinRoute Kerio StaR see chapter 21 and Kerio SSL VPN see chapter 24 web services Internet Explorer 7 or higher Firefox 2 or higher Safari 3 or higher 2 4 In...

Страница 13: ...et WiFi etc or a modem analog ISDN etc as an Internet interface We recommend you to check through the following items before you run WinRoute installation Time of the operating system should be set co...

Страница 14: ...e components For detailed descrip tion on the proprietary VPN solution refer to chapter 23 Having completed this step you can start the installation process All files will be copied to the hard disk a...

Страница 15: ...users are not allowed access the directory Warning If the FAT32 file system is used it is not possible to protect WinRoute in the way suggested above For this reason it is recommended to install WinRo...

Страница 16: ...change these settings Generally the following rules are applied The Windows Firewall Internet Connection Sharing ICS service should be disabled Otherwise WinRoute will not work correctly The option i...

Страница 17: ...and it does not display warn ings informing that the system is not protected 2 5 Initial configuration wizard Windows Using this wizard you can define all basic WinRoute parameters It is started auto...

Страница 18: ...affic rules see chapter 7 If WinRoute is installed remotely i e using terminal access communication with the remote client will be also inter rupted immediately WinRoute must be configured locally Wit...

Страница 19: ...tomatically License all logs and user defined settings are kept safely Note This procedure applies to upgrades between versions of the same series e g from 6 6 0 to 6 6 1 or from a version of the prev...

Страница 20: ...tion Sharing Universal Plug and Play Device Host and SSDP Discovery Service system services 2 7 Installation Software Appliance and VMware Virtual Appliance WinRoute in the software appliance edition...

Страница 21: ...isk for WinRoute installation Content of the selected disk will be completely removed beforeWinRoute installation while other disk are not affected by the installation If there is an only hard disk de...

Страница 22: ...used itself as a DHCP server for local hosts workstations Admin password The installation requires specification of the password for the account Admin the account of the main administrator of the fire...

Страница 23: ...asy access to the Administration Console For details refer to chapter 2 10 Note WinRoute Firewall Engine is independent on the WinRoute Engine Monitor The Engine can be running even if there is no ico...

Страница 24: ...described later Use the right mouse button to open the following menu Figure 2 7 WinRoute Engine Monitor menu Start up Preferences With these options WinRoute Engine and or WinRoute Engine Monitor app...

Страница 25: ...n The firewall s console provides the following configuration options Network Interface Configurations This option allows to show or and edit parameters of individual network interfaces of the firewal...

Страница 26: ...res the default firewall settings as installed from the installation CD or upon the first startup of the VMware virtual host All configuration files and data logs statistics etc will be removed and it...

Страница 27: ...erio Administration Console Kerio Administration Console referred to as the Administration Console in this document is an application used for administration of all Kerio Technologies server products...

Страница 28: ...the window or by following the browser language preferences The Administration Console allows language settings in the Tools menu of the login dialog box 2 Upon the first login to the Administration...

Страница 29: ...n terminates the session users are logged out of the server and the administration window is closed The same effect can be obtained by clicking the little cross in the upper right corner of the window...

Страница 30: ...ministration Console Ready waiting for user s response Load ing retrieving data from the server or Saving saving changes to the server Detection of WinRoute Firewall Engine connection drop out Adminis...

Страница 31: ...ed This entry opens a dialog window where users can select which columns will be displayed hidden Figure 3 3 Column customization in Interfaces This dialog offers a list of all columns available for a...

Страница 32: ...st cannot be used as a gateway for the Internet Upon registration with a valid license number received as a response to purchase of the product WinRoute is available with full functionality Note If yo...

Страница 33: ...service License is defined only by an expiration date which specifies when this module will be blocked Note Refer to Kerio Technologies website http www kerio com to get up to date infor mation about...

Страница 34: ...open the homepage in your default browser Operational system Name of the operating system on which the WinRoute Firewall Engine service is running This is an informative item only the purchased licen...

Страница 35: ...to add subscription license numbers or add on licenses add users In any case the registration wizard will be started where basic data are required and additional data can also be defined For detailed...

Страница 36: ...e text field this protects the registration server from misuse The security code is not case sensitive Figure 4 2 Trial version registration security code 2 On the second page enter information about...

Страница 37: ...tion other information 4 The fourth page provides the information summary If any information is incorrect use the Back button to browse to a corresponding page and correct the data 5 The last page of...

Страница 38: ...ge set in the Administration Console where confirmation of the registration is demanded is sent to the email address specified on the page two of the wizard Click on the link in the email message to c...

Страница 39: ...optional components and subscriptions The page also includes any license numbers as sociated with the basic product that have already been registered Click on Add to add purchased license numbers Eac...

Страница 40: ...Chapter 4 Product Registration and Licensing 40 Figure 4 8 Product registration license numbers of additional components add ons and subscription...

Страница 41: ...ble These questions are asked only during the primary original registration If these ques tions have already been answered the page is skipped and the registration process con sists of four steps only...

Страница 42: ...ary 1 The license key is generated only for the operating system on which WinRoute was installed during the registration Windows Linux The license can be used for any platform but the license key is a...

Страница 43: ...llation of the license key is completed successfully the license is activated immediately Information about the new license is displayed on the Administration Console welcome page This method can also...

Страница 44: ...l WinRoute or any of its components stops functioning or WinRoute or McAfee subscription expires The information is also stopped being displayed immediately after the registration of the subscription...

Страница 45: ...in the table of clients If not a new record including the IP address is added to the table and the number of licenses is raised by 1 The following items are considered as clients 1 All hosts from whic...

Страница 46: ...h a corresponding IP address meeting all conditions is detected is monitored for each record in the table of clients If the idleness time of a client reaches 15 minutes the corresponding record is rem...

Страница 47: ...Web Administration s Configuration Interfaces section Figure 5 1 Network interfaces Groups of interfaces To simplify the firewall s configuration and make it as comfortable as possible network inter...

Страница 48: ...stination group or select the group in properties of the particular interface see below Note If the initial configuration is not performed by the wizard all interfaces except VPN interfaces are set as...

Страница 49: ...ace connected to the Internet connection The name can be edited later see below with no affect on WinRoute s functionality The icon to the left of the name represents the interface type network adapte...

Страница 50: ...certain function appropriate buttons will be inactive Add VPN Tunnel Use this option to create a new server to server VPN tunnel Details on the proprietary Kerio VPN solution are provided in chapter 2...

Страница 51: ...l as established VPN tunnels cannot be removed in WinRoute Note 1 Records related to network cards or dial ups that do not exist any longer those that have been removed do not affect WinRoute s functi...

Страница 52: ...interfaces this item can be changed as desired any time later Other parameters of the interface depend on the selected interface type Most types require username and password for access verification...

Страница 53: ...et connection is an issue and two Internet links are available the connection failover feature can help If the primary link fails WinRoute switches to the secondary link automatically Users may theref...

Страница 54: ...n be configured automatically with the DHCP protocol It is also possible to use a dial like link which can be connected persistently such as PPPoE connections or CDMA modems WinRoute will keep this ty...

Страница 55: ...on network interfaces see chapter 5 Notes 1 On the top of the list the Internet interface where the default gateway is set is offered Therefore in most cases the appropriate adapter is already set wit...

Страница 56: ...rface planned for DMZ you can move the particular interface to Other Interfaces For these interfaces it will be necessary to define corresponding traffic rules manually see chapter 7 3 It is also poss...

Страница 57: ...t necessary to define and save login data in the dial up settings this information can be defined directly in WinRoute This connection type also requires one or more network cards for connection of in...

Страница 58: ...ter 5 Resulting interface configuration When you finish set up in Traffic Policy Wizard the resulting configuration can be viewed under Configuration Interfaces and edited if desirable The Internet In...

Страница 59: ...In the Dial on Demand mode default gateway must NOT be set on any network interface of the firewall On demand dialing is based on absence of the default gateway if no route exist in the routing table...

Страница 60: ...the link is dialed on demand Note 1 If a static route over a dial up is defined in WinRoute s routing table this link will be dialed whenever a packet is routed through there Settings for the interval...

Страница 61: ...comfortable and in certain cases even increase connection costs Note In the time interval where persistent connection of the link is set see above the idleness timeout is ignored Dialing scripts In so...

Страница 62: ...dial up with persistent connection CDMA PPPoE for primary connection and a leased line or a dial up for secondary failover connection This connection type also requires one or more network cards for...

Страница 63: ...Figure 6 9 Traffic Policy Wizard Internet connection failover In the third step of the wizard select a network interface for the primary connection leased or persistent dial up link and for the secon...

Страница 64: ...f a leased link by a dial up Resulting interface configuration When you finish set up in Traffic Policy Wizard the resulting configuration can be viewed under Configuration Interfaces and edited if de...

Страница 65: ...nternet interfaces for primary and secondary connection links only To change settings of primary and secondary connection use corresponding options in the interface edit dialog see chapter 5 or use th...

Страница 66: ...e of failure of one of the lines the traffic is routed via another Note 1 Network load balancing is applied only to outbound traffic via the default route If the routing table see chapter 18 1 defines...

Страница 67: ...r a dial up test the leased link connection first and then dial the other one Dialing of the link opens creates a new default route via this link which allows us to test Internet connection on the sec...

Страница 68: ...just for reference reasons it should correspond with the link speed suggested by the ISP The important aspect is the ratio of speed between individual links it determines how Internet traffic will be...

Страница 69: ...her connection on this Internet link is working and part of Internet traffic can be routed through it Other interfaces including Dial In are considered as segments of the LAN and put in Trusted Local...

Страница 70: ...sible to specify IP addresses of other one or more testing computers upon clicking on Advanced If at least one of the tested devices is available the Internet connection in question is considered as f...

Страница 71: ...twork Rules Wizard The network rules wizard demands only the data that is essential for creating a basic set of traffic rules The rules defined in this wizard will enable access to selected services t...

Страница 72: ...connection type does not affect resulting traffic rules but only con figuration of interfaces and their classification in groups see chapters 5 and 6 2 The Traffic Policy Wizard no longer includes the...

Страница 73: ...5 enabling Kerio VPN traffic To use WinRoute s proprietary VPN solution in order to connect remote clients or to create tunnels between remote networks keep the Create rules for Kerio VPN server sele...

Страница 74: ...for Kerio VPN was required in the previous step the Kerio VPN and HTTPS firewall services will be automatically added to the list of local servers If these services are removed or their parameters are...

Страница 75: ...generating the rules In the last step traffic rules are generated in accordance with data specified All existing rules will be removed and replaced by the new rules Figure 7 6 Network Rules Wizard the...

Страница 76: ...rvice and HTTPS Service The Kerio VPN service rule enables connection to the WinRoute s VPN server establish ment of control connection between a VPN client and the server or creation of a VPN tunnel...

Страница 77: ...ts connected to the server If creating of rules for Kerio VPN was set in the wizard the wizard page 5 the Local Traffic rule includes also special address groups All VPN tunnels and All VPN clients Th...

Страница 78: ...tents use the special tools available in WinRoute for these purposes see chapter 12 rather than traffic rules 7 3 Definition of Custom Traffic Rules The traffic rules are displayed in the form of a ta...

Страница 79: ...r the bubble to view the rule description It is recommended to describe all created rules for better reference automatic descriptions are provided for rules created by the wizard This is helpful for l...

Страница 80: ...ork connected to interface selection of the interface or a group of interfaces from which the packet comes in Source or via which they are sent out Destination Figure 7 10 Traffic rule selecting an in...

Страница 81: ...e destination address definition The Authenticated users option makes the rule valid for all users authenticated to the firewall see chapter 10 1 Use the User s from domain option to add users groups...

Страница 82: ...e displayed in the item list This is helpful when rules are changed it is not necessary to remove items one by one Whenever at least one item is added the Nothing value will be removed automatically I...

Страница 83: ...bypass the protocol inspector for certain traffic it is necessary to define this exception in the particular traffic rule For detailed information see chapter 7 7 Action Action that will be taken by...

Страница 84: ...tion WinRoute offers these options Automatic IP address selection By default in packets sent from the LAN to the Internet the source IP address will be replaced by IP address of the Internet interface...

Страница 85: ...and dialing or connection failover these options have no effect on WinRoute s functionality Hint For maximal efficiency of the connection s capacity it is possible to combine both load balancing metho...

Страница 86: ...the Internet This option is available above all to keep the environment compatible with older WinRoute versions However use of a fixed IP address has many limitations It is necessary to use an IP add...

Страница 87: ...s running of applications in the private network that would either work only partially or they would not work at all For example of using of Full cone NAT for VoIP applications refer to chapter 7 8 Wa...

Страница 88: ...ases WinRoute finds a corresponding IP address using a DNS query Warning We recommend you not to use names of computers which are not recorded in the local DNS since rule is not applied until a corres...

Страница 89: ...the rule will be valid Apart from this interval WinRoute ignores the rule The special always option can be used to disable the time limitation it is not displayed in the Traffic Policy dialog When a d...

Страница 90: ...fic policy provides a range of network traffic filtering options In this chapter you will find some rules used to manage standard configurations Using these examples you can easily create a set of rul...

Страница 91: ...lation option should be set in the Destination address translation section otherwise the rule might not function Combining source and destination IP address translation is relevant under special condi...

Страница 92: ...ow option otherwise all traffic will be blocked and the function of port mapping will be irrelevant Translation In the Destination NAT Port Mapping section select the Translate to IP address option an...

Страница 93: ...The interface connected to the Internet uses public IP addresses 63 157 211 10 and 63 157 211 11 We want the server web1 to be available from the Internet at the IP address 63 157 211 10 the server w...

Страница 94: ...tion rule in the Service entry specify only those services that are intended to be allowed Figure 7 25 Internet connection sharing only selected services are available 2 Limitations sorted by IP addre...

Страница 95: ...ter 7 6 Exclusions You may need to allow access to the Internet only for a certain user address group whereas all other users should not be allowed to access this service This will be better understoo...

Страница 96: ...s and 8 Mbit s One of the links is connected to the provider where the mailserver is also hosted Therefore it is desirable that all email traffic SMTP IMAP POP3 protocols and their secured versions is...

Страница 97: ...twork traffic load balancing WinRoute provides two options of network traffic load balancing per host clients or per con nection for details refer to chapter 7 3 With respect to variability of applica...

Страница 98: ...sed on various issues relating to use of user accounts in traffic rules as well as hints for their solution Note For detailed information on traffic rules definition refer to chapter 7 3 How to enable...

Страница 99: ...ing host After a successful authentication users specified in the NAT rule see figure 7 35 will be allowed to access also other Internet services As well as users not specified in the rules unauthenti...

Страница 100: ...ctionality of the application or endanger its security A special traffic rule as follows will be defined for all traffic of the banking application 1 In the Configuration Definitions Services section...

Страница 101: ...ible passage from the Internet to the local network To keep the security as high as possible it is therefore necessary to enable Full cone NAT for particular clients and services only The following ex...

Страница 102: ...er 7 3 and enable the Allow returning packets from any host Full cone NAT option Figure 7 40 Enabling Full cone NAT in the traffic rule Rule for Full cone NAT must precede the general rule with NAT al...

Страница 103: ...and to the port of the other telephone Under normal conditions such packets would be dropped How ever WinRoute is capable of using a corresponding record in the NAT table to recognize that a packet is...

Страница 104: ...ion has the risk of slow DNS responses All requests from each computer in the local network will be sent to the Internet use the DNS server within the local network if available The DNS server must be...

Страница 105: ...NS resolver Warning If DNS forwarder is not used for your network configuration it can be switched off If you want to run another DNS server on the same host DNS forwarder must be disabled otherwise c...

Страница 106: ...ery is forwarded to another DNS server hosts file this file can be found in any operating system supporting TCP IP Each row of this file includes host IP addresses and a list of appropriate DNS names...

Страница 107: ...od through the following example Example The local domain s name is company com The host called john is configured so as to obtain an IP address from the DHCP server After the operating system is star...

Страница 108: ...ing rules are applied only if the DNS module is not able to respond by using the information in the hosts system file and or by the DHCP lease table Clicking on the Define button in the DNS module con...

Страница 109: ...me queries Use the If the queried name matches entry to specify a corresponding DNS name name of a host in the domain It is usually desirable to forward queries to entire domains rather than to specif...

Страница 110: ...cts appro priate configuration parameters IP address with appropriate subnet mask and other optional parameters such as IP address of the default gateway addresses of DNS servers domain name etc for t...

Страница 111: ...wo parts in one address scopes and in the other reservations are defined Figure 8 5 DHCP server IP scopes In the Item column you can find subnets where scopes of IP addresses are defined The IP subnet...

Страница 112: ...with a complete list of advanced parameters sup ported by DHCP including the four mentioned above Any parameter supported by DHCP can be added and its value can be set within this dialog Default param...

Страница 113: ...belong to the subnet defined by the mask If this requirement is not met an error will be reported after the confirmation with the OK button Lease time Time for which an IP address is assigned to clien...

Страница 114: ...assigned IP address of the interface the network is connected to Default gateway of another network would be useless not available to clients DNS server any DNS server or more DNS servers separated wi...

Страница 115: ...percentage proportion of leases number and percentage proportion of free addresses Figure 8 10 DHCP server statistics leased and free IP addresses within the scope Lease Reservations DHCP server enab...

Страница 116: ...e address when leased If the IP address is already included to a scope DHCP parameters belonging to the scope are used automatically In the Lease Reservation dialog window additional parameters can be...

Страница 117: ...released addresses are kept by the DHCP server and can be used later if the same client demands a lease If free IP addresses are lacked these addresses can be leased to other clients 2 Declined addre...

Страница 118: ...to the lease reservation dialog automatically To reserve an IP address for a hostname change settings of the Reservation For and Value items DHCP server advanced options Other DHCP server parameters...

Страница 119: ...imeout option 8 3 Dynamic DNS for public IP address of the firewall Kerio WinRoute Firewall provides among others services for remote access from the Internet to the local network VPN server see chapt...

Страница 120: ...r IP address up to date and mapped services may be accessed by the corresponding host name Note 1 Usage of DDNS follows conditions of the particular provider 2 Dynamic DNS records use very short time...

Страница 121: ...rver is not available user authentication failed etc This report is also recorded in the error log 8 4 Proxy server Even though the NAT technology used in WinRoute enables direct access to the Interne...

Страница 122: ...server is used it is not necessary to edit configuration of individual hosts or only some hosts should be re configured The WinRoute s proxy server can be used for HTTP HTTPS and FTP protocols Proxy...

Страница 123: ...ured traffic performed by HTTP and or FTP In WinRoute HTTP traffic is controlled by a protocol inspectors which allows only valid HTTP and FTP queries Forward to parent proxy server Tick this option f...

Страница 124: ...sin gle click 8 5 HTTP cache Using cache to access Web pages that are opened repeatedly reduces Internet traffic in case of line where traffic is counted it is also remarkable that using of cache dec...

Страница 125: ...ject validity within the cache This time is used when TTL of a particular object is not defined to define TTL use the URL specific settings button see below TTL defined by the Web server is not accept...

Страница 126: ...ax HTTP object size maximal size of the object that can be stored in cache With respect to statistics the highest number of requests are for small objects i e HTML pages images etc Big sized objects s...

Страница 127: ...or updates of objects stored in the cache regardless of whether the client demands this Note Clients can always require a check for updates from the Web server regardless of the cache settings Use com...

Страница 128: ...current cache size occupied and efficiency of the cache The efficiency status stands for number of objects kept in the cache it is not necessary to download these objects from the server in proportio...

Страница 129: ...e in bytes B and number of hours representing time left to the expiration To keep the list simple and well organized up to 100 items are displayed at a single page The Previous and Next buttons can be...

Страница 130: ...r the other traffic where big data volumes are not transmitted but where for example response time may play a role 9 1 How the bandwidth limiter works and how to use it The Bandwidth Limiter module pr...

Страница 131: ...while ISPs usually use kilobits per second kbps kbit s or kb s or in megabits per second Mbps Mbit s or Mb s The conversion pattern is 1 KB s 8 kbit s A 256 kbit s line s speed is 32 KB s a 1 Mbit s...

Страница 132: ...details see chapter 15 1 Advanced Options Click on Advanced to define advanced Bandwidth Limiter parameters These parameters ap ply only to large data volume transfers They do not apply to users with...

Страница 133: ...ection of network services IP Addresses and Time Interval It may be also helpful to apply bandwidth limiter only to certain hosts for example it may be undesired to limit a mailserver in the local net...

Страница 134: ...ved in a connection belongs to the address group The other traffic will not be limited Apply to all except the selected address group the bandwidth limiter will not be applied if at least one IP addre...

Страница 135: ...r certain amount of data objects included at the page and then closes the connections Terminal services e g Telnet SSH etc typically use an open connection to transfer small data volumes in longer int...

Страница 136: ...data volume transfer since after 150 KB of data have been transferred before an only 5 sec long idleness interval and then only other 150 KB of data have been transmitted within the connection Figure...

Страница 137: ...their access rights Users can connect Manually by opening the WinRoute web interface in their browser https server 4081 or http server 4080 the name of the server and the port numbers are examples onl...

Страница 138: ...to the page including the information where the access was denied Note Users will be redirected to a secured or unsecured web interface according to the fact which version of web interface is allowed...

Страница 139: ...trix Presentation Server orFast user switching on Windows XP Windows Server 2003 Windows Vista and Windows Server 2008 the firewall requires authentica tion only from the user who starts to work on th...

Страница 140: ...nutes of allowed user inactivity When this period ex pires the user is automatically logged out from the firewall The default timeout value is 120 minutes 2 hours This situation often comes up when a...

Страница 141: ...R and user web interface are addressed in detail in the Kerio WinRoute Firewall User s Guide 11 1 Web interface preferences To define basic WinRoute Web interface parameters go to the Web Interface fo...

Страница 142: ...e DNS module in WinRoute as a DNS server there is no need to add the server name to DNS The name is already known and combined with the name of the local domain see chapter 8 1 2 In the Software Appli...

Страница 143: ...s of the web interface However in WinRoute for Windows the standard HTTPS port 443 uses the Clientless SSL VPN interface see chapter 24 Therefore it cannot be used for secured web interface in the def...

Страница 144: ...is key is then used for encryption and decipher any other traffic Generate or Import Certificate During WinRoute installation a testing certificate for the SSL secured Web interface is created automat...

Страница 145: ...nsures your clients security as it is unique and the identity of your server is guaranteed by it Clients will be warned only about the fact that the certificate was not issued by a trustworthy certifi...

Страница 146: ...w statistics see chapter 15 2 either Kerio StaR is opened or a page with status information and personal preferences is displayed upon logon If more than one Active Directory domain are used see chapt...

Страница 147: ...certain HTML items i e scripts ActiveX objects etc filtering based on classification by the Kerio Web Filter module worldwide website classification database limitations based on occurrence of denied...

Страница 148: ...ps secure kerio com However it is not possible to filter individual objects at these servers 12 2 URL Rules These rules allow the administrator to limit access to Web pages with URLs that meet certain...

Страница 149: ...2 IP Groups IP group to which the rule is applied The IP groups include addresses of clients workstations of users who connect to the Internet through WinRoute Valid Time time interval during which th...

Страница 150: ...user groups Click on the Set button to select users or groups hold the Ctrl and the Shift keys to select more that one user group at once Note In rules username represents IP address of the host fro w...

Страница 151: ...Deny access to the Web site requested page will be blocked The user will be informed that the access is denied or a blank page will be displayed according to settings in the Advanced tab see below Ti...

Страница 152: ...g this button users can force WinRoute to open the required page even though this site is denied by a URL rule The rule will be opened for certain time 10 minutes by default Each user can unlock a lim...

Страница 153: ...s for Websites with content meeting a URL rule WWW content scanning options In this section you can define advanced parameters for filtering of objects contained in web pages which meet the particular...

Страница 154: ...e option is selected by default for its better reference Use the Apply filtering rules also for local server to specify whether content filtering rules will be applied to local WWW servers which are a...

Страница 155: ...s from the WinRoute installation and options in the Kerio Web Filter tab will not be available For detailed information about the licensing policy read chapter 44 Kerio Web Filter configuration The Ke...

Страница 156: ...e g www kerio com index html URL using wildcard matching e g ker o An asterisk stands for any num ber of characters even zero a ker o question mark represents just one symbol Description Comments for...

Страница 157: ...12 3 Content Rating System Kerio Web Filter 157 Figure 12 7 Kerio Web Filter rule...

Страница 158: ...ect classification All unlock queries are logged into the Filter log here you can monitor whether unlock queries were appropriate or not 12 4 Web content filtering by word occurrence WinRoute can also...

Страница 159: ...pose that some forbidden words have been already defined and a threshold value has been set for details see below On the URL Rules tab under Configuration Content Filtering HTTP Policy create a rule o...

Страница 160: ...tering web pages by word occurrence word filtering Word groups To define word groups go to the Word Groups tab in Configuration Content Filtering HTTP Policy the Forbidden Words tab Words are sorted i...

Страница 161: ...lue specified in Deny pages with weight over represents so called threshold weight value for each page i e total weight of all forbidden words found at the page If the total weight of the tested page...

Страница 162: ...ry does not match any rule access to the FTP server is implicitly allowed Note 1 The default WinRoute configuration includes a set of predefined rules for FTP traffic These rules are disabled by defau...

Страница 163: ...the rule Rules can be disabled temporarily so that it is not necessary to remove rules and create identical ones later Note FTP traffic which does not match any FTP rule is allowed any traffic permit...

Страница 164: ...name of a particular FTP server If an FTP server is defined through a DNS name WinRoute will automatically per form IP address resolution from DNS The IP address will be resolved immediately when sett...

Страница 165: ...make the rule independent of clients Click on the Edit button to edit IP groups for details see chapter 14 1 Content Advanced options for FTP traffic content Use the Type option to set a filtering me...

Страница 166: ...tent for viruses according to scanning rules Use this option to enable disable scanning for viruses for FTP traffic which meet this rule This option is available only for allowing rules it is meaningl...

Страница 167: ...otocols it should be applied and if possible and desired to try the configuration in the trial version of WinRoute before purchasing a license Note 1 However supported external antiviruses as well as...

Страница 168: ...Note A corresponding protocol inspector can be also specified within the ser vice definition or both definition methods can be used Both methods yield the same result however the corresponding traffi...

Страница 169: ...ad update attempt sets the Last update check performed value to zero Warning To make the antivirus control as mighty as possible it is necessary that the antivirus module is always equipped by the mos...

Страница 170: ...version s as well as information regarding the age of the current virus database will be displayed If the update check fails i e the server is not available an error will be reported and detailed info...

Страница 171: ...ramatically It might happen that the connection over which the file is transferred is interrupted when the time limit is exceeded The optimal value of the file size depends on particular conditions th...

Страница 172: ...for HTTP and FTP traffic objects files of selected types are scanned The file just transmitted is saved in a temporary file on the local disk of the firewall WinRoute caches the last part of the tran...

Страница 173: ...te host WinRoute administrators can later try to heal the file using an an tivirus program and if the file is recovered successfully the administrator can provide it to the user who attempted to downl...

Страница 174: ...inRoute will consider these files as infected and deny their transmission Hint It is recommended to combine this option with the Move the file to quarantine function the WinRoute administrator can ext...

Страница 175: ...he object e g www kerio com img logo gif a string specified by a wildcard matching e g exe or a server name e g www kerio com Server names represent any URL at a corresponding server www kerio com If...

Страница 176: ...s is caused by the fact that the firewall cannot handle email messages like mailservers do It only maintains network traffic coming through In most cases removal of an entire message would lead to a f...

Страница 177: ...d This text informs the recipient of the message and it can be also used for automatic message filtering Note Regardless of what action is set to be taken the attachment is always removed and a warnin...

Страница 178: ...as when a virus was detected including all the actions described above Allow delivery of the attachment WinRoute behaves as if password protected or damaged files were not infected Generally this opti...

Страница 179: ...ck will be applied By default only files downloaded from a remote client to a local host are scanned to avoid slowdown local network is treated as trustworthy If the antivirus check fails Options in t...

Страница 180: ...s IP address ranges subnets or other groups Creating and Editing IP Address Groups You can define IP address groups in the Configuration Definitions Address Groups section Figure 14 1 WinRoute s IP gr...

Страница 181: ...ters of the new item related to the selected type Description Commentary for the IP address group This helps guide the administrator Note Each IP group must include at least one item Groups with no it...

Страница 182: ...eated edited and removed in Configuration Definitions Time Ranges Clicking on the Add button will display the following dialog window Name Name identification of the time interval Insert a new name to...

Страница 183: ...ces WinRoute services enable the administrator to define communication rules easily by permit ting or denying access to the Internet from the local network or by allowing access to the local network f...

Страница 184: ...services Clicking on the Add or the Edit button will open a dialog for service definition Figure 14 6 Network service definition Name Service identification within WinRoute It is strongly recommended...

Страница 185: ...g an inappropriate inspector Source Port and Destination Port If the TCP or UDP communication protocol is used the service is defined with its port number In case of standard client server types a ser...

Страница 186: ...appropriate client in the local network Due to this fact users in the local network are not limited by the firewall and they can use both FTP modes active passive The protocol inspector is enabled if...

Страница 187: ...URL group and assign permissions to the URL group rather than defining permissions to each individual URL rule A URL group rule is processed significantly faster than a greater number of separate rul...

Страница 188: ...oup where the item will be included Type Type of the item URL or URL group groups can be cascaded URL URL Group URL or URL group that will be added to the group depending on the item type URL can be s...

Страница 189: ...14 4 URL Groups 189 Description The item s description comments and notes for the administrator...

Страница 190: ...NT or Active Directory domain i e password is not stored in the user account in WinRoute Obviously usernames in WinRoute must match with the usernames in the domain This method is not so demanding as...

Страница 191: ...es connection to the WinRoute administration in case of the network or domain server failure 15 1 Viewing and definitions of user accounts To define local user accounts import accounts to the local da...

Страница 192: ...s are available for accounts in the local database Add Edit Remove Click Add Edit or Remove to create modify or delete local user accounts for details see chapter 15 2 It is also possible to select mo...

Страница 193: ...h the WinRoute s internal database Active Directory or Windows NT domain The basic administrator account Admin is created during the WinRoute installation process This account has full rights for WinR...

Страница 194: ...pter 15 User Accounts and Groups 194 Figure 15 2 Local user accounts in WinRoute Step 1 basic information Figure 15 3 Creating a user account basic parameters Name Username used for login to the accou...

Страница 195: ...see below Account is disabled Temporary blocking of the account so that you do not have to remove it Note For example this option can be used to create a user account for a user that will not be used...

Страница 196: ...main tab to set parameters for user authentication through the Windows NT domain or and through the Active Directory If Active Directory authentication is set also for Windows NT domain then Active Di...

Страница 197: ...ut cannot edit them Full access to administration These users have full rights to administration and are equal to the Admin account If there is at least one user with the full access to the administra...

Страница 198: ...to view firewall statistics in the web interface see chapter 11 Hint Access rights can also be defined by a user account template Step 4 data transmission quota Daily and monthly limit for volume of...

Страница 199: ...ee Step 1 SMTP Relay must be set in WinRoute see chapter 18 3 If you wish that your WinRoute administrator is also notified when a quota is almost exceeded set the alert parameters in Configuration Ac...

Страница 200: ...r quota and actions applied in response can also be set by a user account template Step 5 web content rules and language preferences Figure 15 7 Creating a new user account Web site content rules In t...

Страница 201: ...ser s web browser preferences language set as preferred for the previous user s login to the web interface will be used If the user has not logged into the web interface before alerts will be in Engli...

Страница 202: ...re automatic login should be accompanied by another security feature such as by user login to the operating system IP address which will be always assigned to the VPN client of the particular user can...

Страница 203: ...ch as access rights content rules data transfer quotas etc can be set by using the template for the local user database see chapter 15 1 or and they can be defined individually for special accounts Th...

Страница 204: ...for each domain that will be used to set specific WinRoute parameters for user accounts access rights data transfer quotas content rules see chapter 15 1 If needed these parameters can also be set in...

Страница 205: ...a single domain are ap plied the WinRoute s DNS forwarder is the best option Domain mapping settings To set Active Directory domain mapping go to the Administration Console section Users and groups U...

Страница 206: ...read rights for the user database any user account of the domain can be used unless it is blocked Figure 15 12 Primary domain mapping Advanced Options Method of cooperation between WinRoute and the A...

Страница 207: ...password an account with the same name will be created in the local database automatically This option is available above all to keep the environment compatible with older WinRoute versions In new in...

Страница 208: ...n server or on all servers of the particular domain if automatic detection is used Mapping of other domains To map user accounts from multiple Active Directory domains add domains in advanced settings...

Страница 209: ...unts Figure 15 15 Conversion of user accounts The following operations will be performed automatically within each conversion substitution of any appearance of the local account in the WinRoute config...

Страница 210: ...Directory domains see chap ter 15 4 and the local user database In WinRoute it is possible to create groups only in the local user database It is not possible to create groups in mapped Active Direct...

Страница 211: ...cal User Database Click Add to start a wizard where a new user group can be created Step 1 Name and description of the group Figure 15 17 Creating a user group basic parameters Name Group name group i...

Страница 212: ...ther the Ctrl or the Shift key Step 3 group access rights Figure 15 19 Creating a user group members user rights The group must be assigned one of the following three levels of access rights No access...

Страница 213: ...the Internet using the Kerio VPN Client for details see chapter 23 User can use Clientless SSL VPN Members of this group will be allowed to access shared files and folders in the local network via the...

Страница 214: ...d time zone Server name Name is important both for some WinRoute services e g secured web interface and for the firewall s operating system s services The DNS forwarder module in WinRoute sets IP addr...

Страница 215: ...inition can be done with the predefined service KWF Admin the secured version of the Web Administration interface use TCP protocol on port 4081 by default predefined KWF WebAdmin SSL service How to al...

Страница 216: ...at the Kerio Technologies website When ever a new version is detected is download and installation is offered Open the Update Checker tab in the Configuration Advanced Options section to view infor ma...

Страница 217: ...onality of your networks etc Check now Click on this button to check for updates immediately If a new version is available detailed information links and download links links to installation files are...

Страница 218: ...etworks i e to hosts on which clients of such networks are run Blocking options it is possible to block access to the Internet for a particular host or to restrict the access only to selected services...

Страница 219: ...es traffic for this user automatically when the specified time expires The time of disconnection should be long enough to make the user consider consequences and to stop trying to connect to P2P netwo...

Страница 220: ...en a P2P network is detected e g the WinRoute administrator define the alert on the Alerts Settings tab of the Configuration Account ing section For details see chapter 19 4 Parameters for detection o...

Страница 221: ...of so called secure services These services will be excluded from detection of P2P traffic The Define services button opens a dialog where services can be define that will not be treated as traffic i...

Страница 222: ...Detailed information on networks connected to individual interfaces is acquired in the routing table The Anti Spoofing function can be configured in the Anti Spoofing folder in Configuration Advanced...

Страница 223: ...horse Count limit for outgoing connections is useful for example when a local client host is at tacked by a worm or Trojan horse which attempts to establish connections to larger number of various se...

Страница 224: ...the route p command Note 1 In the Internet connection failover mode see chapter 6 3 only the current default route is shown depending on which Internet interface is currently active 2 In case of multi...

Страница 225: ...removing of VPN tunnels VPN routes cannot be created modified nor removed by hand Inactive routes routes which are currently inactive are showed in a separate section These can be static routes that a...

Страница 226: ...through to reach the destination network Metric is used to find the best route to the desired network The lower the metric value the shorter the route is Note Metric in the routing table may differ f...

Страница 227: ...outes the methods vary according to operating system in some systems the route p or the route command called from an execution script can be used etc It is not possible to find out how a particular pe...

Страница 228: ...through ports mapped with UPnP will be recorded in the Filter log see chapter 22 9 Log connections If this option is enabled all packets passing through ports mapped with UPnP will be recorded in the...

Страница 229: ...server tab in Configuration Advanced Options Figure 18 5 SMTP settings reports sending Server Name or IP address of the server Note If available we recommend you to use an SMTP server within the local...

Страница 230: ...resolved warning message is displayed in the SMTP Relay tab until the IP address is not found If the warning is still displayed this implies that an invalid non existent DNS name is specified or the...

Страница 231: ...on about certain activity is reported e g error or warn ing reports debug information etc Each item is represented by one row starting with a timestamp date and time of the event In all language versi...

Страница 232: ...f the host from which the user is connecting from Login time Date and time of the recent user login to the firewall Login duration Monitors length of the connection This information is derived from th...

Страница 233: ...ter or Firefox SeaMonkey core version 1 3 or later is used VPN client user has connected to the local network using the Kerio VPN Client for details see chapter 23 Note Connections are not displayed a...

Страница 234: ...n in the Active Hosts window Informa tion can be refreshed in the interval from 5 seconds up to 1 minute or the auto refresh function can be switched off No refresh Logout user Immediate logout of a s...

Страница 235: ...d seconds when the activity was detected Activity Event Type of detected activity network communication WinRoute distinguishes between the following activities SMTP POP3 WWW HTTP traffic FTP Streams r...

Страница 236: ...Connections tab you can view detailed information about connections established from the selected host to the Internet and in the other direction e g by mapped ports UPnP etc The list of connections p...

Страница 237: ...ion to enable disable showing of DNS names instead of IP ad dresses in the Source and Destination columns If a DNS name for an IP address cannot be resolved the IP address is displayed You can click o...

Страница 238: ...n the selected period The green curve represents volume of incoming data download in a selected time period while the area below the curve represents the total vol ume of data transferred in the perio...

Страница 239: ...h individual messages so called datagrams Periodic data exchange is monitored in this case Figure 19 7 Overview of all connections established via WinRoute One connection is represented by each line o...

Страница 240: ...ormation in Connections is refreshed automatically within a user defined interval or the Refresh button can be used for manual refreshing Options of the Connections Dialog The following options are av...

Страница 241: ...omatic refreshing of the information in the Connections window Informa tion can be refreshed in the interval from 5 seconds up to 1 minute or the auto refresh function can be switched off No refresh M...

Страница 242: ...e distinguished by detection of direction of IP addresses out SNAT or in DNAT For details refer to chapter 7 19 3 List of connected VPN clients In Status VPN clients you can see an overview of VPN cli...

Страница 243: ...ll via the Administration Console too frequently to view all status in formation and logs however this does not mean that it is not worthy to do this occasionally WinRoute generates alert messages upo...

Страница 244: ...gs statistics configuration set tings temporary files e g an installation archive of a new version or a file which is currently scanned by an antivirus engine and other information Whenever the WinRou...

Страница 245: ...ents can be selected from the list of users email addresses used for other alerts or new email addresses can be added by hand Valid at time interval Select a time interval in which the alert will be s...

Страница 246: ...uage set in the Administration Console is used if a template in a corresponding language is not found the alert is displayed in English Overview of all sent alerts sorted by dates and times is provide...

Страница 247: ...19 4 Alerts 247 Figure 19 14 Details of a selected event...

Страница 248: ...olumn provides usage of transfer quota by a particular user in percents see chap ter 15 1 Colors are used for better reference green 0 74 of the quota is used yellow 75 99 of the quota is used red 100...

Страница 249: ...t time the WinRoute Firewall Engine will be started User Quota dialog options Right click on the table or on an item of a selected user to open the context menu with the following options Figure 20 2...

Страница 250: ...tomatic refreshing of the information on the User Statistics tab Informa tion can be refreshed in the interval from 5 seconds up to 1 minute or the auto refresh function can be switched off No refresh...

Страница 251: ...sent to the local network through this interface Note Interface statistics are saved into the stats cfg configuration file in the WinRoute s installation directory This implies that they are not rese...

Страница 252: ...ve interface statistics This option removes the selected interface from the statistics Only inactive interfaces i e disconnected network adapters hung up dial ups disconnected VPN tunnels or VPN serve...

Страница 253: ...maximal value of the time interval and is set automatically bytes per second is the basic measure unit B s Select an option for Picture size to set a fixed format of the chart or to make it fit to the...

Страница 254: ...nrecom mended to use them for example to figure out exact numbers of Internet connection costs per user 3 For correct functionality of the Kerio StaR interface it is necessary that the WinRoute host s...

Страница 255: ...g the particular protocol inspector are applied see chapter 7 7 If the WinRoute proxy server is used visited pages are monitored by the proxy server itself see chapter 8 4 Note HTTPS traffic is encryp...

Страница 256: ...or statistics and quota Under certain circumstances too many connected users great volume of transmitted data low capacity of the WinRoute host etc viewing of statistics may slow WinRoute and data tra...

Страница 257: ...Kerio StaR interface see chapter 20 Figure 21 2 Kerio StaR advanced options The Show user names in statistics by option enables select a mode of how users and their names will be displayed in individ...

Страница 258: ...red and included in statistics and quota e g only in working hours Without this period no traffic will be included in the statistics and in the quota neither For details on time intervals see chapter...

Страница 259: ...ps refer to chapter 14 1 URL exceptions can be applied only to unsecured web pages the HTTP protocol Connec tions to secured pages the HTTPS protocol are encrypted and URL of such pages cannot be dete...

Страница 260: ...network To make Internet Usage Statistics link work also for remote administration over the Internet name of the particular server must be defined in the public DNS with the IP address of the particul...

Страница 261: ...r StaR means processing of large data volumes To reduce load on the firewall data for StaR is updated approximately once in an hour The top right corner of each StaR page displays information about wh...

Страница 262: ...ministration Console Individual logs can be rotated after a certain time period or when a threshold of the file size is reached log files are stored and new events are logged to a new empty file Admin...

Страница 263: ...ted intervals Weekly rotation takes effect on Sunday nights Monthly rotation is performed at the end of the month in the night when one month ends and another starts Rotate when file exceeds size Set...

Страница 264: ...gs 264 Figure 22 2 File logging settings ter 21 2 Rotation follows the rules described above Syslog Logging Parameters for logging to a Syslog can be defined in the External Logging tab Figure 22 3 Sy...

Страница 265: ...right click inside any log window a context menu will be displayed where you can choose several functions or change the log s parameters view logged information Figure 22 4 Logs Context Menu Copy Copi...

Страница 266: ...inistration saving of an entire log may take some time Find Use this option to search for a string in the log Logs can be scanned either Up search for older events or Down search for newer events from...

Страница 267: ...oved logs cannot be refreshed anymore Note If a user with read rights only is connected to WinRoute see chapter 15 1 the Log settings and Clear log options are missing in the log context menu Only use...

Страница 268: ...hlighted or by a so called regular expression all lines containing one or multiple strings matching the regular expression will be highlighted The Description item is used for reference only It is rec...

Страница 269: ...actions were performed by which user and when The Config window contains three log types 1 Information about user logins logouts to from the WinRoute s administration Example 18 Apr 2008 10 25 02 jam...

Страница 270: ...18 Apr 2008 12 06 03 Admin 1 name ICMP traffic src any dst any service Ping snat any dnat any action Permit time_range always inspector default 18 Apr 2003 12 06 03 date and time of the change Admin...

Страница 271: ...s would slow WinRoute down Duration 121 sec duration of the connection in seconds Bytes 1575 1290 2865 number of bytes transferred during this connection transmitted accepted total Packets 5 9 14 numb...

Страница 272: ...r setting the Expression entry blank Show status A single overview of status information regarding certain WinRoute components This information can be helpful especially when solving problems with Ker...

Страница 273: ...routing information web server for Clientless SSL VPN etc 22 7 Dial Log Data about dialing and hanging up the dial up lines and about time spent on line The following items events can be reported in...

Страница 274: ...ed dialing of line Connection 15 Mar 2008 15 51 38 Line Connection successfully connected The first log item is recorded upon reception of a DNS request the DNS module has not found requested DNS reco...

Страница 275: ...ious security problems might arise A typical error message in the Error log could be a problem when starting a service usually a collision at a particular port number problems when writing to the disk...

Страница 276: ...ed see chapter 7 or meeting other conditions e g logging of UPnP traffic see chapter 18 2 Each log line includes the following information depending on the component which generated the log when an HT...

Страница 277: ...TCP only win size of the receive window in bytes it is used for data flow control TCP only tcplen TCP payload size i e size of the data part of the packet in bytes TCP only 22 10 Http log This log con...

Страница 278: ...4 64 TCP_MISS 304 0 GET http www squid cache org DIRECT 206 168 0 9 1058444114 733 timestamp seconds and milliseconds since January 1st 1970 0 download duration not measured in WinRoute always set to...

Страница 279: ...y win size of the receive window in bytes it is used for data flow control TCP only tcplen TCP payload size i e size of the data part of the packet in bytes TCP only 2 FTP protocol parser log records...

Страница 280: ...01 51 Copy File User jsmith company com File server data www index html The Clientless SSL VPN interface and the corresponding record is available in WinRoute is for Windows only 22 13 Warning Log Th...

Страница 281: ...lid password The third log informs on an authentication attempt by a user which does not exist johnblue Note With the above three examples the relevant records will also appear in the Security log 22...

Страница 282: ...Chapter 22 Logs 282 Note If the page title cannot be identified i e for its content is compressed the Encoded content will be reported http www kerio com URL pages...

Страница 283: ...ons Identities of individual clients are authenticated against a username and password transmitted also by secured connection so that unauthorized clients cannot connect to local networks Remote conne...

Страница 284: ...affic rules For details refer to chapters 23 2 and 23 3 VPN server is available in the Interfaces tab of the Configuration Interfaces section as a spe cial interface Figure 23 1 Viewing VPN server in...

Страница 285: ...omatic detection is not performed again Warning Make sure that the subnet for VPN clients does not collide with any local subnet WinRoute can detect a collision of the VPN subnet with local subnets Th...

Страница 286: ...ficate fingerprint can be saved to the clipboard and pasted to a text file email mes sage etc Click Change SSL Certificate to set parameters for the certificate of the VPN server For the VPN server yo...

Страница 287: ...ts to it can use hostnames within this network e g server Otherwise full name of the host including domain is required e g server company local DNS extension can be also resolved automatically or set...

Страница 288: ...nced Options Listen on port The port on which the VPN server listens for incoming connections both TCP and UDP protocols are used The port 4090 is set as default under usual circumstances it is not ne...

Страница 289: ...in the demilitarized zone at the VPN server s side is being added 23 2 Configuration of VPN clients The following conditions must be met to enable connection of remote clients to local networks via en...

Страница 290: ...the VPN server is running at another port this service must be redefined The second rule allows communication between the firewall local network and VPN clients If the rules are set like this all VPN...

Страница 291: ...etwork via the Internet VPN tunnel Note Each installation of WinRoute requires its own license see chapter 4 Setting up VPN servers First the VPN server must be allowed by the traffic policy and enabl...

Страница 292: ...ast one end of each VPN tunnel must be switched to the active mode passive servers cannot initialize connection Configuration of a remote end of the tunnel When a VPN tunnel is being created identity...

Страница 293: ...module at the other end of the tunnel DNS domain or subdomain must be used at both sides of the tunnel Note To provide correct forwarding of DNS queries sent from the WinRoute host at any side of the...

Страница 294: ...that the corresponding tunnel has been disconnected the first connection establishment is attempted immediately after the tunnel is defined and upon clicking the Apply button in Configuration Interfa...

Страница 295: ...outgoing connection for the Kerio VPN service from the firewall to the Internet If basic traffic rules are already created by the wizard refer to chapter 23 2 simply add a corresponding VPN tunnel in...

Страница 296: ...y occur in case of a VPN client connecting to the WinRoute s VPN server To avoid the problems just described it is possible to go to the VPN tunnel definition dialog see chapter 23 3 or to the VPN ser...

Страница 297: ...client is connected to the server when information in a routing table at any side of the tunnel or at the VPN server is changed periodically every 10 minutes The timeout starts upon each update regard...

Страница 298: ...headquarter and a filial office by VPN tunnel connection of VPN clients is possible Suppose that both networks are already deployed and set according to the figure and that the Internet connection is...

Страница 299: ...belonging to the host as the primary DNS server As a secondary DNS server a server where DNS requests addressed to other domains will be forwarded must be specified typically the ISP s DNS server Not...

Страница 300: ...out whether the subnets do not collide i e whether the same subnet is not used at both ends of the tunnel If an IP address is tested successfully and an error is reported Unknown host when a cor resp...

Страница 301: ...arter default traffic rules for Kerio VPN When the VPN tunnel is created customize these rules according to the restriction re quirements see item 6 Note To keep the example as simple and transparent...

Страница 302: ...ry DNS server for the WinRoute host s interface connected to the LAN 1 local network It is not necessary to set DNS server at the interface connected to LAN 2 DNS configuration is applied globally to...

Страница 303: ...addresses or enable cooperation of the DNS module with the DHCP server in case that IP addresses are assigned dynamically to these hosts For details see chapter 8 1 4 Enable the VPN server and configu...

Страница 304: ...cording to the restriction requirements In the Local Traffic rule remove all items except those belonging to the local network of the company headquarters i e except the firewall and LAN 1 and LAN 2 D...

Страница 305: ...guration of a filial office 1 Install WinRoute version 6 0 0 or later at the default gateway of the branch office server 2 Use Network Rules Wizard see chapter 7 1 to configure the basic traffic polic...

Страница 306: ...default traffic rules for Kerio VPN When the VPN tunnel is created customize these rules according to the restriction re quirements Step 6 3 Customize DNS configuration as follows In the WinRoute s DN...

Страница 307: ...the other hosts Note For proper functionality of DNS the DNS database must include records for hosts in a corresponding local network To achieve this save DNS names and IP addresses of local hosts int...

Страница 308: ...be created If connected successfully the Connected status will be reported in the Adapter info column for both ends of the tunnel If the connection cannot be established we recommend you to check the...

Страница 309: ...ilial office definition of VPN tunnel for the headquarters Figure 23 29 Filial office final traffic rules Note It is not necessary to perform any other customization of traffic rules The required rest...

Страница 310: ...o redundant routes see chapter 23 5 is setting of routing between endpoints of individual tunnels In such a case it is necessary to set routing between individual endpoints of VPN tunnels by hand Auto...

Страница 311: ...nfiguration see figure 23 30 Note For each installation of WinRoute a separate license for corresponding number of users is required For details see chapter 4 2 Configure and test connection of the lo...

Страница 312: ...to one of the remote networks The passive endpoint of the tunnel must be created at a server with fixed public IP address Only active endpoints of VPN tunnels can be created at servers with dynamic IP...

Страница 313: ...sic traffic policy in WinRoute To keep the example as simple as possible it is supposed that the access from the local network to the Internet is not restricted i e that access to all services is allo...

Страница 314: ...forwarding option and define rules for names in the filial1 company com and filial2 company com domains To specify the for warding DNS server always use the IP address of the WinRoute host s inbound i...

Страница 315: ...23 6 Example of a more complex Kerio VPN configuration 315 Figure 23 35 Headquarter TCP IP configuration at a firewall s interface connected to the local network...

Страница 316: ...ble Note A free subnet which has been selected is now specified automatically in the VPN network and Mask entries Check whether this subnet does not collide with any other subnet in the headquarters o...

Страница 317: ...gerprint of the VPN server of the London filial office as a specification of the fingerprint of the remote SSL certificate Figure 23 37 Headquarter definition of VPN tunnel for the London filial On th...

Страница 318: ...cribed here is applied see figure 23 30 it is un recommended to use automatically provided routes In case of an automatic exchange of routes the routing within the VPN is not be ideal for example any...

Страница 319: ...unnel connected to the Paris filial Figure 23 39 The headquarters definition of VPN tunnel for the Paris filial On the Advanced tab select the Use custom routes only option and set routes to the sub n...

Страница 320: ...Chapter 23 Kerio VPN 320 Figure 23 40 The headquarters routing configuration for the tunnel connected to the Paris filial Figure 23 41 Headquarter final traffic rules...

Страница 321: ...imple as possible it is supposed that the access from the local network to the Internet is not restricted i e that access to all services is allowed in step 4 In step 5 of the wizard select the Create...

Страница 322: ...onnected to the local network at the remote side of the tunnel Figure 23 45 The London filial office DNS forwarding settings Set the IP address of this interface 172 16 1 1 as a primary DNS server for...

Страница 323: ...ion of the fingerprint of the remote SSL certificate On the Advanced tab select the Use custom routes only option and set routes to headquar ters local networks At this point connection should be esta...

Страница 324: ...Chapter 23 Kerio VPN 324 branch office server Figure 23 47 The London filial office definition of VPN tunnel for the headquarters...

Страница 325: ...23 6 Example of a more complex Kerio VPN configuration 325 Figure 23 48 The London filial routing configuration for the tunnel connected to the headquarters...

Страница 326: ...SSL certificate Figure 23 49 The London filial office definition of VPN tunnel for the Paris filial office On the Advanced tab select the Use custom routes only option and set routes to Paris local ne...

Страница 327: ...e of a more complex Kerio VPN configuration 327 Figure 23 50 The London filial routing configuration for the tunnel connected to the Paris branch office Figure 23 51 The London filial office final tra...

Страница 328: ...e access from the local network to the Internet is not restricted i e that access to all services is allowed in step 4 Figure 23 52 The Paris filial no restrictions are applied to accessing the Intern...

Страница 329: ...IP address of this interface 172 16 1 1 as a primary DNS server for the WinRoute host s interface connected to the LAN 1 local network It is not necessary to set DNS at the interface connected to LAN...

Страница 330: ...Chapter 23 Kerio VPN 330 Figure 23 55 The Paris filial office VPN server configuration...

Страница 331: ...l for the headquarters On the Advanced tab select the Use custom routes only option and set routes to headquar ters local networks At this point connection should be established i e the tunnel should...

Страница 332: ...Chapter 23 Kerio VPN 332 Paris branch office server Figure 23 57 The Paris filial routing configuration for the tunnel connected to the headquarters...

Страница 333: ...ice definition of VPN tunnel for the London filial office On the Advanced tab select the Use custom routes only option and set routes to London s local networks Like in the previous step check whether...

Страница 334: ...lial office final traffic rules connect to this branch office VPN test The VPN configuration has been completed by now At this point it is recommended to test reachability of the remote hosts in the o...

Страница 335: ...is not possible or useful to use Kerio VPN Client This chapter addresses configuration details needed for proper functionality of the SSL VPN interface The SSL VPN interface is described thoroughly in...

Страница 336: ...ort 443 standard port of the HTTPS service Click Change SSL Certificate to create a new certificate for the SSL VPN service or to import a certificate issued by a trustworthy certification authority W...

Страница 337: ...cal hosts from remote networks are not scanned by antiviruses files downloaded from private networks are considered as trustwor thy Settings of antivirus check can be changed in antivirus configuratio...

Страница 338: ...exported to a tgz package the tar archive compressed by gzip which includes all the key WinRoute configuration files Optionally it is possible to include the web interface s VPN server s and SSL VPN...

Страница 339: ...cks up of configuration user accounts data DHCP server database etc logs cfg Log configurations Note The data in these files are saved in XML format so that it can be easily modified by an advanced us...

Страница 340: ...tabase for statistics of the WinRoute web inter face Handling configuration files We recommend that WinRoute Firewall Engine be stopped prior to any manipulation with the configuration files backups r...

Страница 341: ...User at the client host is required to authenticate to this domain i e local user accounts cannot be used for this purpose 5 The NT domain or the Active Directory authentication method see chapter 15...

Страница 342: ...key with the core version Mozilla 1 3 or later NTLM authentication process NTLM authentication process differs depending on a browser used Internet Explorer NTLM authentication is performed without us...

Страница 343: ...configuration parameter s using the following instructions For direct connection proxy server is not set in the browser Look up the network automatic ntlm auth trusted uris parameter Use the WinRoute...

Страница 344: ...t is not possible to connect directly to the Internet see chapter 8 4 Example of a client configuration web browser Web browsers allow to set the proxy server either globally or for individual protoco...

Страница 345: ...s either single connections to FTP server by the Net FTP New Connection option available in the main menu or creating a bookmark for repeated connec tions Net FTP Connect The proxy server must be conf...

Страница 346: ...the link may stay hung up even if the local network sends requests for Internet connection or it may be dialed unintentionally Information provided in this chapter should help you understand the prin...

Страница 347: ...s a default gateway at any interface packets to the Inter net would be routed via this interface no matter where it is actually connected to and WinRoute would not dial the line 2 Only one link can be...

Страница 348: ...t and the dialing will be available If clients DNS server is located on the Internet the line will be dialed upon a client s DNS query If a local DNS server is used the line will be dialed upon a quer...

Страница 349: ...ly use the hosts system file of the WinRoute host for details see chapter 8 1 Note Undesirable traffic causing unintentional dialing of a link can be blocked by WinRoute traffic rules see chapter 7 3...

Страница 350: ...com The host is called pc1 The full name of the host is pc1 company com whereas local name in this domain is pc1 Local names are usually stored in the database of the local DNS server in this example...

Страница 351: ...1 Essential Information To send a request to our technical support use the contact form at http support kerio com To be able to help you solve your problems the best and in the shortest possible time...

Страница 352: ...e number Please specify whether you have purchased any WinRoute license or if you use the trial version Requirements of owners of valid licenses are always preferred 26 2 Tested in Beta version As to...

Страница 353: ...and Safari are registered trademarks or trademarks of Apple Computer Inc Linux is registered trademark kept by Linus Torvalds Mozilla and Firefox are registered trademarks of Mozilla Foundation Kerber...

Страница 354: ...odified version of the h323plus library distributed under Mozilla Public License MPL The original source code is available at http h323plus org KIPF driver Kerio IP filter driver for Linux WinRoute s...

Страница 355: ...n libkvnet tgz libcurl Copyright 1996 2008 Daniel Stenberg libiconv libiconv converts from one character encoding to another through Unicode conversion WinRoute include a modified version of this libr...

Страница 356: ...ySize Inc All rights reserved Prototype Framework in JavaScript Copyright Sam Stephenson The Prototype library is freely distributable under the terms of a MIT license For details see the Prototype we...

Страница 357: ...irtual server keeps running Connections A virtual bidirectional communication channel between two hosts See also TCP DDNS DDNS Dynamic Domain Name System is DNS with the feature of automatic update of...

Страница 358: ...the client This mode is suitable for cases where the firewall is at the server s side however it is not supported by some clients e g by web browsers passive mode data connection is established also...

Страница 359: ...ode or for encryption of traffic between two hosts so called transport mode Kerberos Kerberos is a system used for secure user authentication in network environments It was developed at the MIT univer...

Страница 360: ...k interface P2P network Peer to Peer P2P networks are world wide distributed systems where each node can represent both a client and a server These networks are used for sharing of big volumes of data...

Страница 361: ...active mode when data connection to a client is established by a server and to filter traffic by the corre sponding protocol e g limited access to Web pages classified by URLs anti virus check of down...

Страница 362: ...es over HTTP protocol Nowadays it is used by almost all standard Internet protocols SMTP POP3 IMAP LDAP etc At the beginning of communication an encryption key is requested and transferred using asymm...

Страница 363: ...t establish new connections nor it provides reliable and sequential data delivery nor it enables error correction or data stream con trol It is used for transfer of small sized data i e DNS queries or...

Страница 364: ...guration 130 detection principle 135 beta version 352 BOOTP 118 C cache directory 125 DNS 105 size 126 URL exceptions 127 certificate SSL VPN 336 VPN server 286 Web Interface 144 Clientless SSL VPN 33...

Страница 365: ...d 57 346 leased line 54 load balancing 66 unintentional dialing 349 IPSec 87 K Kerberos 196 Kerio Administration Console 23 Kerio Web Filter 154 deployment 156 parameters configuration 155 website cat...

Страница 366: ...0 R ranges time 181 182 RAS 118 registration at the Kerio website 43 of purchased product 39 trial version 36 relay SMTP server 229 routing table 224 static routes 225 S services 82 183 SIP 186 SSL VP...

Страница 367: ...01 configuration 138 V VPN 283 client 198 213 289 configuration example 297 Kerio Clientless SSL VPN 335 Kerio VPN 283 routing 296 server 48 284 SSL certificate 286 tunnel 291 VPN client 289 DNS 286 r...

Страница 368: ...368...

Отзывы: