Kerio Tech KERIO WINROUTE FIREWALL 6, Administrator'S Manual

Page 1: ...Kerio WinRoute Firewall 6 Administrator s Guide Kerio Technologies s r o...

Page 2: ...Firewall User s Guide The Kerio VPN Client application is described in a stand alone document Kerio VPN Client User s Guide For current version of the product go to http www kerio com firewall downloa...

Page 3: ...n 27 3 1 Administration Console the main window 28 3 2 Administration Console view preferences 31 4 Product Registration and Licensing 32 4 1 License types and number of users 32 4 2 License informati...

Page 4: ...5 10 User Authentication 137 10 1 Firewall User Authentication 137 11 Web Interface 141 11 1 Web interface preferences 141 11 2 User authentication at the web interface 146 12 HTTP and FTP filtering 1...

Page 5: ...r settings 224 18 1 Routing table 224 18 2 Universal Plug and Play UPnP 227 18 3 Relay SMTP server 229 19 Status Information 231 19 1 Active hosts and connected users 231 19 2 Network connections over...

Page 6: ...7 23 6 Example of a more complex Kerio VPN configuration 310 24 Kerio Clientless SSL VPN Windows 335 24 1 Configuration of WinRoute s SSL VPN 335 24 2 Usage of the SSL VPN interface 337 25 Specific se...

Page 7: ...functionality of the Internet connection and of traffic among hosts within the local network before you run the WinRoute installation This test will reduce possible problems with debugging and error...

Page 8: ...s Automatic configuration activate the Obtain an IP address automatically option Do not set any other parameters Manual configuration define IP address subnet mask default gateway address DNS server a...

Page 9: ...guration of crucial WinRoute parameters the interface traffic policy HTTP and FTP filtering rules user accounts and groups etc However the Kerio Administration Console is still available and allow set...

Page 10: ...ction NAT WinRoute can detect if NAT is active in the RRAS service if it is a warning is dis played In reaction to the alert message the server administrator should disable NAT in the RRAS configurati...

Page 11: ...ail protocols WinRoute also provides with this feature which may cause collisions Therefore it is recommended to install a server version of your antivirus program on the WinRoute host The server vers...

Page 12: ...ollowing browsers can be used to access the WinRoute Kerio StaR see chapter 21 and Kerio SSL VPN see chapter 24 web services Internet Explorer 7 or higher Firefox 2 or higher Safari 3 or higher 2 4 In...

Page 13: ...et WiFi etc or a modem analog ISDN etc as an Internet interface We recommend you to check through the following items before you run WinRoute installation Time of the operating system should be set co...

Page 14: ...e components For detailed descrip tion on the proprietary VPN solution refer to chapter 23 Having completed this step you can start the installation process All files will be copied to the hard disk a...

Page 15: ...users are not allowed access the directory Warning If the FAT32 file system is used it is not possible to protect WinRoute in the way suggested above For this reason it is recommended to install WinRo...

Page 16: ...change these settings Generally the following rules are applied The Windows Firewall Internet Connection Sharing ICS service should be disabled Otherwise WinRoute will not work correctly The option i...

Page 17: ...and it does not display warn ings informing that the system is not protected 2 5 Initial configuration wizard Windows Using this wizard you can define all basic WinRoute parameters It is started auto...

Page 18: ...affic rules see chapter 7 If WinRoute is installed remotely i e using terminal access communication with the remote client will be also inter rupted immediately WinRoute must be configured locally Wit...

Page 19: ...tomatically License all logs and user defined settings are kept safely Note This procedure applies to upgrades between versions of the same series e g from 6 6 0 to 6 6 1 or from a version of the prev...

Page 20: ...tion Sharing Universal Plug and Play Device Host and SSDP Discovery Service system services 2 7 Installation Software Appliance and VMware Virtual Appliance WinRoute in the software appliance edition...

Page 21: ...isk for WinRoute installation Content of the selected disk will be completely removed beforeWinRoute installation while other disk are not affected by the installation If there is an only hard disk de...

Page 22: ...used itself as a DHCP server for local hosts workstations Admin password The installation requires specification of the password for the account Admin the account of the main administrator of the fire...

Page 23: ...asy access to the Administration Console For details refer to chapter 2 10 Note WinRoute Firewall Engine is independent on the WinRoute Engine Monitor The Engine can be running even if there is no ico...

Page 24: ...described later Use the right mouse button to open the following menu Figure 2 7 WinRoute Engine Monitor menu Start up Preferences With these options WinRoute Engine and or WinRoute Engine Monitor app...

Page 25: ...n The firewall s console provides the following configuration options Network Interface Configurations This option allows to show or and edit parameters of individual network interfaces of the firewal...

Page 26: ...res the default firewall settings as installed from the installation CD or upon the first startup of the VMware virtual host All configuration files and data logs statistics etc will be removed and it...

Page 27: ...erio Administration Console Kerio Administration Console referred to as the Administration Console in this document is an application used for administration of all Kerio Technologies server products...

Page 28: ...the window or by following the browser language preferences The Administration Console allows language settings in the Tools menu of the login dialog box 2 Upon the first login to the Administration...

Page 29: ...n terminates the session users are logged out of the server and the administration window is closed The same effect can be obtained by clicking the little cross in the upper right corner of the window...

Page 30: ...ministration Console Ready waiting for user s response Load ing retrieving data from the server or Saving saving changes to the server Detection of WinRoute Firewall Engine connection drop out Adminis...

Page 31: ...ed This entry opens a dialog window where users can select which columns will be displayed hidden Figure 3 3 Column customization in Interfaces This dialog offers a list of all columns available for a...

Page 32: ...st cannot be used as a gateway for the Internet Upon registration with a valid license number received as a response to purchase of the product WinRoute is available with full functionality Note If yo...

Page 33: ...service License is defined only by an expiration date which specifies when this module will be blocked Note Refer to Kerio Technologies website http www kerio com to get up to date infor mation about...

Page 34: ...open the homepage in your default browser Operational system Name of the operating system on which the WinRoute Firewall Engine service is running This is an informative item only the purchased licen...

Page 35: ...to add subscription license numbers or add on licenses add users In any case the registration wizard will be started where basic data are required and additional data can also be defined For detailed...

Page 36: ...e text field this protects the registration server from misuse The security code is not case sensitive Figure 4 2 Trial version registration security code 2 On the second page enter information about...

Page 37: ...tion other information 4 The fourth page provides the information summary If any information is incorrect use the Back button to browse to a corresponding page and correct the data 5 The last page of...

Page 38: ...ge set in the Administration Console where confirmation of the registration is demanded is sent to the email address specified on the page two of the wizard Click on the link in the email message to c...

Page 39: ...optional components and subscriptions The page also includes any license numbers as sociated with the basic product that have already been registered Click on Add to add purchased license numbers Eac...

Page 40: ...Chapter 4 Product Registration and Licensing 40 Figure 4 8 Product registration license numbers of additional components add ons and subscription...

Page 41: ...ble These questions are asked only during the primary original registration If these ques tions have already been answered the page is skipped and the registration process con sists of four steps only...

Page 42: ...ary 1 The license key is generated only for the operating system on which WinRoute was installed during the registration Windows Linux The license can be used for any platform but the license key is a...

Page 43: ...llation of the license key is completed successfully the license is activated immediately Information about the new license is displayed on the Administration Console welcome page This method can also...

Page 44: ...l WinRoute or any of its components stops functioning or WinRoute or McAfee subscription expires The information is also stopped being displayed immediately after the registration of the subscription...

Page 45: ...in the table of clients If not a new record including the IP address is added to the table and the number of licenses is raised by 1 The following items are considered as clients 1 All hosts from whic...

Page 46: ...h a corresponding IP address meeting all conditions is detected is monitored for each record in the table of clients If the idleness time of a client reaches 15 minutes the corresponding record is rem...

Page 47: ...Web Administration s Configuration Interfaces section Figure 5 1 Network interfaces Groups of interfaces To simplify the firewall s configuration and make it as comfortable as possible network inter...

Page 48: ...stination group or select the group in properties of the particular interface see below Note If the initial configuration is not performed by the wizard all interfaces except VPN interfaces are set as...

Page 49: ...ace connected to the Internet connection The name can be edited later see below with no affect on WinRoute s functionality The icon to the left of the name represents the interface type network adapte...

Page 50: ...certain function appropriate buttons will be inactive Add VPN Tunnel Use this option to create a new server to server VPN tunnel Details on the proprietary Kerio VPN solution are provided in chapter 2...

Page 51: ...l as established VPN tunnels cannot be removed in WinRoute Note 1 Records related to network cards or dial ups that do not exist any longer those that have been removed do not affect WinRoute s functi...

Page 52: ...interfaces this item can be changed as desired any time later Other parameters of the interface depend on the selected interface type Most types require username and password for access verification...

Page 53: ...et connection is an issue and two Internet links are available the connection failover feature can help If the primary link fails WinRoute switches to the secondary link automatically Users may theref...

Page 54: ...n be configured automatically with the DHCP protocol It is also possible to use a dial like link which can be connected persistently such as PPPoE connections or CDMA modems WinRoute will keep this ty...

Page 55: ...on network interfaces see chapter 5 Notes 1 On the top of the list the Internet interface where the default gateway is set is offered Therefore in most cases the appropriate adapter is already set wit...

Page 56: ...rface planned for DMZ you can move the particular interface to Other Interfaces For these interfaces it will be necessary to define corresponding traffic rules manually see chapter 7 3 It is also poss...

Page 57: ...t necessary to define and save login data in the dial up settings this information can be defined directly in WinRoute This connection type also requires one or more network cards for connection of in...

Page 58: ...ter 5 Resulting interface configuration When you finish set up in Traffic Policy Wizard the resulting configuration can be viewed under Configuration Interfaces and edited if desirable The Internet In...

Page 59: ...In the Dial on Demand mode default gateway must NOT be set on any network interface of the firewall On demand dialing is based on absence of the default gateway if no route exist in the routing table...

Page 60: ...the link is dialed on demand Note 1 If a static route over a dial up is defined in WinRoute s routing table this link will be dialed whenever a packet is routed through there Settings for the interval...

Page 61: ...comfortable and in certain cases even increase connection costs Note In the time interval where persistent connection of the link is set see above the idleness timeout is ignored Dialing scripts In so...

Page 62: ...dial up with persistent connection CDMA PPPoE for primary connection and a leased line or a dial up for secondary failover connection This connection type also requires one or more network cards for...

Page 63: ...Figure 6 9 Traffic Policy Wizard Internet connection failover In the third step of the wizard select a network interface for the primary connection leased or persistent dial up link and for the secon...

Page 64: ...f a leased link by a dial up Resulting interface configuration When you finish set up in Traffic Policy Wizard the resulting configuration can be viewed under Configuration Interfaces and edited if de...

Page 65: ...nternet interfaces for primary and secondary connection links only To change settings of primary and secondary connection use corresponding options in the interface edit dialog see chapter 5 or use th...

Page 66: ...e of failure of one of the lines the traffic is routed via another Note 1 Network load balancing is applied only to outbound traffic via the default route If the routing table see chapter 18 1 defines...

Page 67: ...r a dial up test the leased link connection first and then dial the other one Dialing of the link opens creates a new default route via this link which allows us to test Internet connection on the sec...

Page 68: ...just for reference reasons it should correspond with the link speed suggested by the ISP The important aspect is the ratio of speed between individual links it determines how Internet traffic will be...

Page 69: ...her connection on this Internet link is working and part of Internet traffic can be routed through it Other interfaces including Dial In are considered as segments of the LAN and put in Trusted Local...

Page 70: ...sible to specify IP addresses of other one or more testing computers upon clicking on Advanced If at least one of the tested devices is available the Internet connection in question is considered as f...

Page 71: ...twork Rules Wizard The network rules wizard demands only the data that is essential for creating a basic set of traffic rules The rules defined in this wizard will enable access to selected services t...

Page 72: ...connection type does not affect resulting traffic rules but only con figuration of interfaces and their classification in groups see chapters 5 and 6 2 The Traffic Policy Wizard no longer includes the...

Page 73: ...5 enabling Kerio VPN traffic To use WinRoute s proprietary VPN solution in order to connect remote clients or to create tunnels between remote networks keep the Create rules for Kerio VPN server sele...

Page 74: ...for Kerio VPN was required in the previous step the Kerio VPN and HTTPS firewall services will be automatically added to the list of local servers If these services are removed or their parameters are...

Page 75: ...generating the rules In the last step traffic rules are generated in accordance with data specified All existing rules will be removed and replaced by the new rules Figure 7 6 Network Rules Wizard the...

Page 76: ...rvice and HTTPS Service The Kerio VPN service rule enables connection to the WinRoute s VPN server establish ment of control connection between a VPN client and the server or creation of a VPN tunnel...

Page 77: ...ts connected to the server If creating of rules for Kerio VPN was set in the wizard the wizard page 5 the Local Traffic rule includes also special address groups All VPN tunnels and All VPN clients Th...

Page 78: ...tents use the special tools available in WinRoute for these purposes see chapter 12 rather than traffic rules 7 3 Definition of Custom Traffic Rules The traffic rules are displayed in the form of a ta...

Page 79: ...r the bubble to view the rule description It is recommended to describe all created rules for better reference automatic descriptions are provided for rules created by the wizard This is helpful for l...

Page 80: ...ork connected to interface selection of the interface or a group of interfaces from which the packet comes in Source or via which they are sent out Destination Figure 7 10 Traffic rule selecting an in...

Page 81: ...e destination address definition The Authenticated users option makes the rule valid for all users authenticated to the firewall see chapter 10 1 Use the User s from domain option to add users groups...

Page 82: ...e displayed in the item list This is helpful when rules are changed it is not necessary to remove items one by one Whenever at least one item is added the Nothing value will be removed automatically I...

Page 83: ...bypass the protocol inspector for certain traffic it is necessary to define this exception in the particular traffic rule For detailed information see chapter 7 7 Action Action that will be taken by...

Page 84: ...tion WinRoute offers these options Automatic IP address selection By default in packets sent from the LAN to the Internet the source IP address will be replaced by IP address of the Internet interface...

Page 85: ...and dialing or connection failover these options have no effect on WinRoute s functionality Hint For maximal efficiency of the connection s capacity it is possible to combine both load balancing metho...

Page 86: ...the Internet This option is available above all to keep the environment compatible with older WinRoute versions However use of a fixed IP address has many limitations It is necessary to use an IP add...

Page 87: ...s running of applications in the private network that would either work only partially or they would not work at all For example of using of Full cone NAT for VoIP applications refer to chapter 7 8 Wa...

Page 88: ...ases WinRoute finds a corresponding IP address using a DNS query Warning We recommend you not to use names of computers which are not recorded in the local DNS since rule is not applied until a corres...

Page 89: ...the rule will be valid Apart from this interval WinRoute ignores the rule The special always option can be used to disable the time limitation it is not displayed in the Traffic Policy dialog When a d...

Page 90: ...fic policy provides a range of network traffic filtering options In this chapter you will find some rules used to manage standard configurations Using these examples you can easily create a set of rul...

Page 91: ...lation option should be set in the Destination address translation section otherwise the rule might not function Combining source and destination IP address translation is relevant under special condi...

Page 92: ...ow option otherwise all traffic will be blocked and the function of port mapping will be irrelevant Translation In the Destination NAT Port Mapping section select the Translate to IP address option an...

Page 93: ...The interface connected to the Internet uses public IP addresses 63 157 211 10 and 63 157 211 11 We want the server web1 to be available from the Internet at the IP address 63 157 211 10 the server w...

Page 94: ...tion rule in the Service entry specify only those services that are intended to be allowed Figure 7 25 Internet connection sharing only selected services are available 2 Limitations sorted by IP addre...

Page 95: ...ter 7 6 Exclusions You may need to allow access to the Internet only for a certain user address group whereas all other users should not be allowed to access this service This will be better understoo...

Page 96: ...s and 8 Mbit s One of the links is connected to the provider where the mailserver is also hosted Therefore it is desirable that all email traffic SMTP IMAP POP3 protocols and their secured versions is...

Page 97: ...twork traffic load balancing WinRoute provides two options of network traffic load balancing per host clients or per con nection for details refer to chapter 7 3 With respect to variability of applica...

Page 98: ...sed on various issues relating to use of user accounts in traffic rules as well as hints for their solution Note For detailed information on traffic rules definition refer to chapter 7 3 How to enable...

Page 99: ...ing host After a successful authentication users specified in the NAT rule see figure 7 35 will be allowed to access also other Internet services As well as users not specified in the rules unauthenti...

Page 100: ...ctionality of the application or endanger its security A special traffic rule as follows will be defined for all traffic of the banking application 1 In the Configuration Definitions Services section...

Page 101: ...ible passage from the Internet to the local network To keep the security as high as possible it is therefore necessary to enable Full cone NAT for particular clients and services only The following ex...

Page 102: ...er 7 3 and enable the Allow returning packets from any host Full cone NAT option Figure 7 40 Enabling Full cone NAT in the traffic rule Rule for Full cone NAT must precede the general rule with NAT al...

Page 103: ...and to the port of the other telephone Under normal conditions such packets would be dropped How ever WinRoute is capable of using a corresponding record in the NAT table to recognize that a packet is...

Page 104: ...ion has the risk of slow DNS responses All requests from each computer in the local network will be sent to the Internet use the DNS server within the local network if available The DNS server must be...

Page 105: ...NS resolver Warning If DNS forwarder is not used for your network configuration it can be switched off If you want to run another DNS server on the same host DNS forwarder must be disabled otherwise c...

Page 106: ...ery is forwarded to another DNS server hosts file this file can be found in any operating system supporting TCP IP Each row of this file includes host IP addresses and a list of appropriate DNS names...

Page 107: ...od through the following example Example The local domain s name is company com The host called john is configured so as to obtain an IP address from the DHCP server After the operating system is star...

Page 108: ...ing rules are applied only if the DNS module is not able to respond by using the information in the hosts system file and or by the DHCP lease table Clicking on the Define button in the DNS module con...

Page 109: ...me queries Use the If the queried name matches entry to specify a corresponding DNS name name of a host in the domain It is usually desirable to forward queries to entire domains rather than to specif...

Page 110: ...cts appro priate configuration parameters IP address with appropriate subnet mask and other optional parameters such as IP address of the default gateway addresses of DNS servers domain name etc for t...

Page 111: ...wo parts in one address scopes and in the other reservations are defined Figure 8 5 DHCP server IP scopes In the Item column you can find subnets where scopes of IP addresses are defined The IP subnet...

Page 112: ...with a complete list of advanced parameters sup ported by DHCP including the four mentioned above Any parameter supported by DHCP can be added and its value can be set within this dialog Default param...

Page 113: ...belong to the subnet defined by the mask If this requirement is not met an error will be reported after the confirmation with the OK button Lease time Time for which an IP address is assigned to clien...

Page 114: ...assigned IP address of the interface the network is connected to Default gateway of another network would be useless not available to clients DNS server any DNS server or more DNS servers separated wi...

Page 115: ...percentage proportion of leases number and percentage proportion of free addresses Figure 8 10 DHCP server statistics leased and free IP addresses within the scope Lease Reservations DHCP server enab...

Page 116: ...e address when leased If the IP address is already included to a scope DHCP parameters belonging to the scope are used automatically In the Lease Reservation dialog window additional parameters can be...

Page 117: ...released addresses are kept by the DHCP server and can be used later if the same client demands a lease If free IP addresses are lacked these addresses can be leased to other clients 2 Declined addre...

Page 118: ...to the lease reservation dialog automatically To reserve an IP address for a hostname change settings of the Reservation For and Value items DHCP server advanced options Other DHCP server parameters...

Page 119: ...imeout option 8 3 Dynamic DNS for public IP address of the firewall Kerio WinRoute Firewall provides among others services for remote access from the Internet to the local network VPN server see chapt...

Page 120: ...r IP address up to date and mapped services may be accessed by the corresponding host name Note 1 Usage of DDNS follows conditions of the particular provider 2 Dynamic DNS records use very short time...

Page 121: ...rver is not available user authentication failed etc This report is also recorded in the error log 8 4 Proxy server Even though the NAT technology used in WinRoute enables direct access to the Interne...

Page 122: ...server is used it is not necessary to edit configuration of individual hosts or only some hosts should be re configured The WinRoute s proxy server can be used for HTTP HTTPS and FTP protocols Proxy...

Page 123: ...ured traffic performed by HTTP and or FTP In WinRoute HTTP traffic is controlled by a protocol inspectors which allows only valid HTTP and FTP queries Forward to parent proxy server Tick this option f...

Page 124: ...sin gle click 8 5 HTTP cache Using cache to access Web pages that are opened repeatedly reduces Internet traffic in case of line where traffic is counted it is also remarkable that using of cache dec...

Page 125: ...ject validity within the cache This time is used when TTL of a particular object is not defined to define TTL use the URL specific settings button see below TTL defined by the Web server is not accept...

Page 126: ...ax HTTP object size maximal size of the object that can be stored in cache With respect to statistics the highest number of requests are for small objects i e HTML pages images etc Big sized objects s...

Page 127: ...or updates of objects stored in the cache regardless of whether the client demands this Note Clients can always require a check for updates from the Web server regardless of the cache settings Use com...

Page 128: ...current cache size occupied and efficiency of the cache The efficiency status stands for number of objects kept in the cache it is not necessary to download these objects from the server in proportio...

Page 129: ...e in bytes B and number of hours representing time left to the expiration To keep the list simple and well organized up to 100 items are displayed at a single page The Previous and Next buttons can be...

Page 130: ...r the other traffic where big data volumes are not transmitted but where for example response time may play a role 9 1 How the bandwidth limiter works and how to use it The Bandwidth Limiter module pr...

Page 131: ...while ISPs usually use kilobits per second kbps kbit s or kb s or in megabits per second Mbps Mbit s or Mb s The conversion pattern is 1 KB s 8 kbit s A 256 kbit s line s speed is 32 KB s a 1 Mbit s...

Page 132: ...details see chapter 15 1 Advanced Options Click on Advanced to define advanced Bandwidth Limiter parameters These parameters ap ply only to large data volume transfers They do not apply to users with...

Page 133: ...ection of network services IP Addresses and Time Interval It may be also helpful to apply bandwidth limiter only to certain hosts for example it may be undesired to limit a mailserver in the local net...

Page 134: ...ved in a connection belongs to the address group The other traffic will not be limited Apply to all except the selected address group the bandwidth limiter will not be applied if at least one IP addre...

Page 135: ...r certain amount of data objects included at the page and then closes the connections Terminal services e g Telnet SSH etc typically use an open connection to transfer small data volumes in longer int...

Page 136: ...data volume transfer since after 150 KB of data have been transferred before an only 5 sec long idleness interval and then only other 150 KB of data have been transmitted within the connection Figure...

Page 137: ...their access rights Users can connect Manually by opening the WinRoute web interface in their browser https server 4081 or http server 4080 the name of the server and the port numbers are examples onl...

Page 138: ...to the page including the information where the access was denied Note Users will be redirected to a secured or unsecured web interface according to the fact which version of web interface is allowed...

Page 139: ...trix Presentation Server orFast user switching on Windows XP Windows Server 2003 Windows Vista and Windows Server 2008 the firewall requires authentica tion only from the user who starts to work on th...

Page 140: ...nutes of allowed user inactivity When this period ex pires the user is automatically logged out from the firewall The default timeout value is 120 minutes 2 hours This situation often comes up when a...

Page 141: ...R and user web interface are addressed in detail in the Kerio WinRoute Firewall User s Guide 11 1 Web interface preferences To define basic WinRoute Web interface parameters go to the Web Interface fo...

Page 142: ...e DNS module in WinRoute as a DNS server there is no need to add the server name to DNS The name is already known and combined with the name of the local domain see chapter 8 1 2 In the Software Appli...

Page 143: ...s of the web interface However in WinRoute for Windows the standard HTTPS port 443 uses the Clientless SSL VPN interface see chapter 24 Therefore it cannot be used for secured web interface in the def...

Page 144: ...is key is then used for encryption and decipher any other traffic Generate or Import Certificate During WinRoute installation a testing certificate for the SSL secured Web interface is created automat...

Page 145: ...nsures your clients security as it is unique and the identity of your server is guaranteed by it Clients will be warned only about the fact that the certificate was not issued by a trustworthy certifi...

Page 146: ...w statistics see chapter 15 2 either Kerio StaR is opened or a page with status information and personal preferences is displayed upon logon If more than one Active Directory domain are used see chapt...

Page 147: ...certain HTML items i e scripts ActiveX objects etc filtering based on classification by the Kerio Web Filter module worldwide website classification database limitations based on occurrence of denied...

Page 148: ...ps secure kerio com However it is not possible to filter individual objects at these servers 12 2 URL Rules These rules allow the administrator to limit access to Web pages with URLs that meet certain...

Page 149: ...2 IP Groups IP group to which the rule is applied The IP groups include addresses of clients workstations of users who connect to the Internet through WinRoute Valid Time time interval during which th...

Page 150: ...user groups Click on the Set button to select users or groups hold the Ctrl and the Shift keys to select more that one user group at once Note In rules username represents IP address of the host fro w...

Page 151: ...Deny access to the Web site requested page will be blocked The user will be informed that the access is denied or a blank page will be displayed according to settings in the Advanced tab see below Ti...

Page 152: ...g this button users can force WinRoute to open the required page even though this site is denied by a URL rule The rule will be opened for certain time 10 minutes by default Each user can unlock a lim...

Page 153: ...s for Websites with content meeting a URL rule WWW content scanning options In this section you can define advanced parameters for filtering of objects contained in web pages which meet the particular...

Page 154: ...e option is selected by default for its better reference Use the Apply filtering rules also for local server to specify whether content filtering rules will be applied to local WWW servers which are a...

Page 155: ...s from the WinRoute installation and options in the Kerio Web Filter tab will not be available For detailed information about the licensing policy read chapter 44 Kerio Web Filter configuration The Ke...

Page 156: ...e g www kerio com index html URL using wildcard matching e g ker o An asterisk stands for any num ber of characters even zero a ker o question mark represents just one symbol Description Comments for...

Page 157: ...12 3 Content Rating System Kerio Web Filter 157 Figure 12 7 Kerio Web Filter rule...

Page 158: ...ect classification All unlock queries are logged into the Filter log here you can monitor whether unlock queries were appropriate or not 12 4 Web content filtering by word occurrence WinRoute can also...

Page 159: ...pose that some forbidden words have been already defined and a threshold value has been set for details see below On the URL Rules tab under Configuration Content Filtering HTTP Policy create a rule o...

Page 160: ...tering web pages by word occurrence word filtering Word groups To define word groups go to the Word Groups tab in Configuration Content Filtering HTTP Policy the Forbidden Words tab Words are sorted i...

Page 161: ...lue specified in Deny pages with weight over represents so called threshold weight value for each page i e total weight of all forbidden words found at the page If the total weight of the tested page...

Page 162: ...ry does not match any rule access to the FTP server is implicitly allowed Note 1 The default WinRoute configuration includes a set of predefined rules for FTP traffic These rules are disabled by defau...

Page 163: ...the rule Rules can be disabled temporarily so that it is not necessary to remove rules and create identical ones later Note FTP traffic which does not match any FTP rule is allowed any traffic permit...

Page 164: ...name of a particular FTP server If an FTP server is defined through a DNS name WinRoute will automatically per form IP address resolution from DNS The IP address will be resolved immediately when sett...

Page 165: ...make the rule independent of clients Click on the Edit button to edit IP groups for details see chapter 14 1 Content Advanced options for FTP traffic content Use the Type option to set a filtering me...

Page 166: ...tent for viruses according to scanning rules Use this option to enable disable scanning for viruses for FTP traffic which meet this rule This option is available only for allowing rules it is meaningl...

Page 167: ...otocols it should be applied and if possible and desired to try the configuration in the trial version of WinRoute before purchasing a license Note 1 However supported external antiviruses as well as...

Page 168: ...Note A corresponding protocol inspector can be also specified within the ser vice definition or both definition methods can be used Both methods yield the same result however the corresponding traffi...

Page 169: ...ad update attempt sets the Last update check performed value to zero Warning To make the antivirus control as mighty as possible it is necessary that the antivirus module is always equipped by the mos...

Page 170: ...version s as well as information regarding the age of the current virus database will be displayed If the update check fails i e the server is not available an error will be reported and detailed info...

Page 171: ...ramatically It might happen that the connection over which the file is transferred is interrupted when the time limit is exceeded The optimal value of the file size depends on particular conditions th...

Page 172: ...for HTTP and FTP traffic objects files of selected types are scanned The file just transmitted is saved in a temporary file on the local disk of the firewall WinRoute caches the last part of the tran...

Page 173: ...te host WinRoute administrators can later try to heal the file using an an tivirus program and if the file is recovered successfully the administrator can provide it to the user who attempted to downl...

Page 174: ...inRoute will consider these files as infected and deny their transmission Hint It is recommended to combine this option with the Move the file to quarantine function the WinRoute administrator can ext...

Page 175: ...he object e g www kerio com img logo gif a string specified by a wildcard matching e g exe or a server name e g www kerio com Server names represent any URL at a corresponding server www kerio com If...

Page 176: ...s is caused by the fact that the firewall cannot handle email messages like mailservers do It only maintains network traffic coming through In most cases removal of an entire message would lead to a f...

Page 177: ...d This text informs the recipient of the message and it can be also used for automatic message filtering Note Regardless of what action is set to be taken the attachment is always removed and a warnin...

Page 178: ...as when a virus was detected including all the actions described above Allow delivery of the attachment WinRoute behaves as if password protected or damaged files were not infected Generally this opti...

Page 179: ...ck will be applied By default only files downloaded from a remote client to a local host are scanned to avoid slowdown local network is treated as trustworthy If the antivirus check fails Options in t...

Page 180: ...s IP address ranges subnets or other groups Creating and Editing IP Address Groups You can define IP address groups in the Configuration Definitions Address Groups section Figure 14 1 WinRoute s IP gr...

Page 181: ...ters of the new item related to the selected type Description Commentary for the IP address group This helps guide the administrator Note Each IP group must include at least one item Groups with no it...

Page 182: ...eated edited and removed in Configuration Definitions Time Ranges Clicking on the Add button will display the following dialog window Name Name identification of the time interval Insert a new name to...

Page 183: ...ces WinRoute services enable the administrator to define communication rules easily by permit ting or denying access to the Internet from the local network or by allowing access to the local network f...

Page 184: ...services Clicking on the Add or the Edit button will open a dialog for service definition Figure 14 6 Network service definition Name Service identification within WinRoute It is strongly recommended...

Page 185: ...g an inappropriate inspector Source Port and Destination Port If the TCP or UDP communication protocol is used the service is defined with its port number In case of standard client server types a ser...

Page 186: ...appropriate client in the local network Due to this fact users in the local network are not limited by the firewall and they can use both FTP modes active passive The protocol inspector is enabled if...

Page 187: ...URL group and assign permissions to the URL group rather than defining permissions to each individual URL rule A URL group rule is processed significantly faster than a greater number of separate rul...

Page 188: ...oup where the item will be included Type Type of the item URL or URL group groups can be cascaded URL URL Group URL or URL group that will be added to the group depending on the item type URL can be s...

Page 189: ...14 4 URL Groups 189 Description The item s description comments and notes for the administrator...

Page 190: ...NT or Active Directory domain i e password is not stored in the user account in WinRoute Obviously usernames in WinRoute must match with the usernames in the domain This method is not so demanding as...

Page 191: ...es connection to the WinRoute administration in case of the network or domain server failure 15 1 Viewing and definitions of user accounts To define local user accounts import accounts to the local da...

Page 192: ...s are available for accounts in the local database Add Edit Remove Click Add Edit or Remove to create modify or delete local user accounts for details see chapter 15 2 It is also possible to select mo...

Page 193: ...h the WinRoute s internal database Active Directory or Windows NT domain The basic administrator account Admin is created during the WinRoute installation process This account has full rights for WinR...

Page 194: ...pter 15 User Accounts and Groups 194 Figure 15 2 Local user accounts in WinRoute Step 1 basic information Figure 15 3 Creating a user account basic parameters Name Username used for login to the accou...

Page 195: ...see below Account is disabled Temporary blocking of the account so that you do not have to remove it Note For example this option can be used to create a user account for a user that will not be used...

Page 196: ...main tab to set parameters for user authentication through the Windows NT domain or and through the Active Directory If Active Directory authentication is set also for Windows NT domain then Active Di...

Page 197: ...ut cannot edit them Full access to administration These users have full rights to administration and are equal to the Admin account If there is at least one user with the full access to the administra...

Page 198: ...to view firewall statistics in the web interface see chapter 11 Hint Access rights can also be defined by a user account template Step 4 data transmission quota Daily and monthly limit for volume of...

Page 199: ...ee Step 1 SMTP Relay must be set in WinRoute see chapter 18 3 If you wish that your WinRoute administrator is also notified when a quota is almost exceeded set the alert parameters in Configuration Ac...

Page 200: ...r quota and actions applied in response can also be set by a user account template Step 5 web content rules and language preferences Figure 15 7 Creating a new user account Web site content rules In t...

Page 201: ...ser s web browser preferences language set as preferred for the previous user s login to the web interface will be used If the user has not logged into the web interface before alerts will be in Engli...

Page 202: ...re automatic login should be accompanied by another security feature such as by user login to the operating system IP address which will be always assigned to the VPN client of the particular user can...

Page 203: ...ch as access rights content rules data transfer quotas etc can be set by using the template for the local user database see chapter 15 1 or and they can be defined individually for special accounts Th...

Page 204: ...for each domain that will be used to set specific WinRoute parameters for user accounts access rights data transfer quotas content rules see chapter 15 1 If needed these parameters can also be set in...

Page 205: ...a single domain are ap plied the WinRoute s DNS forwarder is the best option Domain mapping settings To set Active Directory domain mapping go to the Administration Console section Users and groups U...

Page 206: ...read rights for the user database any user account of the domain can be used unless it is blocked Figure 15 12 Primary domain mapping Advanced Options Method of cooperation between WinRoute and the A...

Page 207: ...password an account with the same name will be created in the local database automatically This option is available above all to keep the environment compatible with older WinRoute versions In new in...

Page 208: ...n server or on all servers of the particular domain if automatic detection is used Mapping of other domains To map user accounts from multiple Active Directory domains add domains in advanced settings...

Page 209: ...unts Figure 15 15 Conversion of user accounts The following operations will be performed automatically within each conversion substitution of any appearance of the local account in the WinRoute config...

Page 210: ...Directory domains see chap ter 15 4 and the local user database In WinRoute it is possible to create groups only in the local user database It is not possible to create groups in mapped Active Direct...

Page 211: ...cal User Database Click Add to start a wizard where a new user group can be created Step 1 Name and description of the group Figure 15 17 Creating a user group basic parameters Name Group name group i...

Page 212: ...ther the Ctrl or the Shift key Step 3 group access rights Figure 15 19 Creating a user group members user rights The group must be assigned one of the following three levels of access rights No access...

Page 213: ...the Internet using the Kerio VPN Client for details see chapter 23 User can use Clientless SSL VPN Members of this group will be allowed to access shared files and folders in the local network via the...

Page 214: ...d time zone Server name Name is important both for some WinRoute services e g secured web interface and for the firewall s operating system s services The DNS forwarder module in WinRoute sets IP addr...

Page 215: ...inition can be done with the predefined service KWF Admin the secured version of the Web Administration interface use TCP protocol on port 4081 by default predefined KWF WebAdmin SSL service How to al...

Page 216: ...at the Kerio Technologies website When ever a new version is detected is download and installation is offered Open the Update Checker tab in the Configuration Advanced Options section to view infor ma...

Page 217: ...onality of your networks etc Check now Click on this button to check for updates immediately If a new version is available detailed information links and download links links to installation files are...

Page 218: ...etworks i e to hosts on which clients of such networks are run Blocking options it is possible to block access to the Internet for a particular host or to restrict the access only to selected services...

Page 219: ...es traffic for this user automatically when the specified time expires The time of disconnection should be long enough to make the user consider consequences and to stop trying to connect to P2P netwo...

Page 220: ...en a P2P network is detected e g the WinRoute administrator define the alert on the Alerts Settings tab of the Configuration Account ing section For details see chapter 19 4 Parameters for detection o...

Page 221: ...of so called secure services These services will be excluded from detection of P2P traffic The Define services button opens a dialog where services can be define that will not be treated as traffic i...

Page 222: ...Detailed information on networks connected to individual interfaces is acquired in the routing table The Anti Spoofing function can be configured in the Anti Spoofing folder in Configuration Advanced...

Page 223: ...horse Count limit for outgoing connections is useful for example when a local client host is at tacked by a worm or Trojan horse which attempts to establish connections to larger number of various se...

Page 224: ...the route p command Note 1 In the Internet connection failover mode see chapter 6 3 only the current default route is shown depending on which Internet interface is currently active 2 In case of multi...

Page 225: ...removing of VPN tunnels VPN routes cannot be created modified nor removed by hand Inactive routes routes which are currently inactive are showed in a separate section These can be static routes that a...

Page 226: ...through to reach the destination network Metric is used to find the best route to the desired network The lower the metric value the shorter the route is Note Metric in the routing table may differ f...

Page 227: ...outes the methods vary according to operating system in some systems the route p or the route command called from an execution script can be used etc It is not possible to find out how a particular pe...

Page 228: ...through ports mapped with UPnP will be recorded in the Filter log see chapter 22 9 Log connections If this option is enabled all packets passing through ports mapped with UPnP will be recorded in the...

Page 229: ...server tab in Configuration Advanced Options Figure 18 5 SMTP settings reports sending Server Name or IP address of the server Note If available we recommend you to use an SMTP server within the local...

Page 230: ...resolved warning message is displayed in the SMTP Relay tab until the IP address is not found If the warning is still displayed this implies that an invalid non existent DNS name is specified or the...

Page 231: ...on about certain activity is reported e g error or warn ing reports debug information etc Each item is represented by one row starting with a timestamp date and time of the event In all language versi...

Page 232: ...f the host from which the user is connecting from Login time Date and time of the recent user login to the firewall Login duration Monitors length of the connection This information is derived from th...

Page 233: ...ter or Firefox SeaMonkey core version 1 3 or later is used VPN client user has connected to the local network using the Kerio VPN Client for details see chapter 23 Note Connections are not displayed a...

Page 234: ...n in the Active Hosts window Informa tion can be refreshed in the interval from 5 seconds up to 1 minute or the auto refresh function can be switched off No refresh Logout user Immediate logout of a s...

Page 235: ...d seconds when the activity was detected Activity Event Type of detected activity network communication WinRoute distinguishes between the following activities SMTP POP3 WWW HTTP traffic FTP Streams r...

Page 236: ...Connections tab you can view detailed information about connections established from the selected host to the Internet and in the other direction e g by mapped ports UPnP etc The list of connections p...

Page 237: ...ion to enable disable showing of DNS names instead of IP ad dresses in the Source and Destination columns If a DNS name for an IP address cannot be resolved the IP address is displayed You can click o...

Page 238: ...n the selected period The green curve represents volume of incoming data download in a selected time period while the area below the curve represents the total vol ume of data transferred in the perio...

Page 239: ...h individual messages so called datagrams Periodic data exchange is monitored in this case Figure 19 7 Overview of all connections established via WinRoute One connection is represented by each line o...

Page 240: ...ormation in Connections is refreshed automatically within a user defined interval or the Refresh button can be used for manual refreshing Options of the Connections Dialog The following options are av...

Page 241: ...omatic refreshing of the information in the Connections window Informa tion can be refreshed in the interval from 5 seconds up to 1 minute or the auto refresh function can be switched off No refresh M...

Page 242: ...e distinguished by detection of direction of IP addresses out SNAT or in DNAT For details refer to chapter 7 19 3 List of connected VPN clients In Status VPN clients you can see an overview of VPN cli...

Page 243: ...ll via the Administration Console too frequently to view all status in formation and logs however this does not mean that it is not worthy to do this occasionally WinRoute generates alert messages upo...

Page 244: ...gs statistics configuration set tings temporary files e g an installation archive of a new version or a file which is currently scanned by an antivirus engine and other information Whenever the WinRou...

Page 245: ...ents can be selected from the list of users email addresses used for other alerts or new email addresses can be added by hand Valid at time interval Select a time interval in which the alert will be s...

Page 246: ...uage set in the Administration Console is used if a template in a corresponding language is not found the alert is displayed in English Overview of all sent alerts sorted by dates and times is provide...

Page 247: ...19 4 Alerts 247 Figure 19 14 Details of a selected event...

Page 248: ...olumn provides usage of transfer quota by a particular user in percents see chap ter 15 1 Colors are used for better reference green 0 74 of the quota is used yellow 75 99 of the quota is used red 100...

Page 249: ...t time the WinRoute Firewall Engine will be started User Quota dialog options Right click on the table or on an item of a selected user to open the context menu with the following options Figure 20 2...

Page 250: ...tomatic refreshing of the information on the User Statistics tab Informa tion can be refreshed in the interval from 5 seconds up to 1 minute or the auto refresh function can be switched off No refresh...

Page 251: ...sent to the local network through this interface Note Interface statistics are saved into the stats cfg configuration file in the WinRoute s installation directory This implies that they are not rese...

Page 252: ...ve interface statistics This option removes the selected interface from the statistics Only inactive interfaces i e disconnected network adapters hung up dial ups disconnected VPN tunnels or VPN serve...

Page 253: ...maximal value of the time interval and is set automatically bytes per second is the basic measure unit B s Select an option for Picture size to set a fixed format of the chart or to make it fit to the...

Page 254: ...nrecom mended to use them for example to figure out exact numbers of Internet connection costs per user 3 For correct functionality of the Kerio StaR interface it is necessary that the WinRoute host s...

Page 255: ...g the particular protocol inspector are applied see chapter 7 7 If the WinRoute proxy server is used visited pages are monitored by the proxy server itself see chapter 8 4 Note HTTPS traffic is encryp...

Page 256: ...or statistics and quota Under certain circumstances too many connected users great volume of transmitted data low capacity of the WinRoute host etc viewing of statistics may slow WinRoute and data tra...

Page 257: ...Kerio StaR interface see chapter 20 Figure 21 2 Kerio StaR advanced options The Show user names in statistics by option enables select a mode of how users and their names will be displayed in individ...

Page 258: ...red and included in statistics and quota e g only in working hours Without this period no traffic will be included in the statistics and in the quota neither For details on time intervals see chapter...

Page 259: ...ps refer to chapter 14 1 URL exceptions can be applied only to unsecured web pages the HTTP protocol Connec tions to secured pages the HTTPS protocol are encrypted and URL of such pages cannot be dete...

Page 260: ...network To make Internet Usage Statistics link work also for remote administration over the Internet name of the particular server must be defined in the public DNS with the IP address of the particul...

Page 261: ...r StaR means processing of large data volumes To reduce load on the firewall data for StaR is updated approximately once in an hour The top right corner of each StaR page displays information about wh...

Page 262: ...ministration Console Individual logs can be rotated after a certain time period or when a threshold of the file size is reached log files are stored and new events are logged to a new empty file Admin...

Page 263: ...ted intervals Weekly rotation takes effect on Sunday nights Monthly rotation is performed at the end of the month in the night when one month ends and another starts Rotate when file exceeds size Set...

Page 264: ...gs 264 Figure 22 2 File logging settings ter 21 2 Rotation follows the rules described above Syslog Logging Parameters for logging to a Syslog can be defined in the External Logging tab Figure 22 3 Sy...

Page 265: ...right click inside any log window a context menu will be displayed where you can choose several functions or change the log s parameters view logged information Figure 22 4 Logs Context Menu Copy Copi...

Page 266: ...inistration saving of an entire log may take some time Find Use this option to search for a string in the log Logs can be scanned either Up search for older events or Down search for newer events from...

Page 267: ...oved logs cannot be refreshed anymore Note If a user with read rights only is connected to WinRoute see chapter 15 1 the Log settings and Clear log options are missing in the log context menu Only use...

Page 268: ...hlighted or by a so called regular expression all lines containing one or multiple strings matching the regular expression will be highlighted The Description item is used for reference only It is rec...

Page 269: ...actions were performed by which user and when The Config window contains three log types 1 Information about user logins logouts to from the WinRoute s administration Example 18 Apr 2008 10 25 02 jam...

Page 270: ...18 Apr 2008 12 06 03 Admin 1 name ICMP traffic src any dst any service Ping snat any dnat any action Permit time_range always inspector default 18 Apr 2003 12 06 03 date and time of the change Admin...

Page 271: ...s would slow WinRoute down Duration 121 sec duration of the connection in seconds Bytes 1575 1290 2865 number of bytes transferred during this connection transmitted accepted total Packets 5 9 14 numb...

Page 272: ...r setting the Expression entry blank Show status A single overview of status information regarding certain WinRoute components This information can be helpful especially when solving problems with Ker...

Page 273: ...routing information web server for Clientless SSL VPN etc 22 7 Dial Log Data about dialing and hanging up the dial up lines and about time spent on line The following items events can be reported in...

Page 274: ...ed dialing of line Connection 15 Mar 2008 15 51 38 Line Connection successfully connected The first log item is recorded upon reception of a DNS request the DNS module has not found requested DNS reco...

Page 275: ...ious security problems might arise A typical error message in the Error log could be a problem when starting a service usually a collision at a particular port number problems when writing to the disk...

Page 276: ...ed see chapter 7 or meeting other conditions e g logging of UPnP traffic see chapter 18 2 Each log line includes the following information depending on the component which generated the log when an HT...

Page 277: ...TCP only win size of the receive window in bytes it is used for data flow control TCP only tcplen TCP payload size i e size of the data part of the packet in bytes TCP only 22 10 Http log This log con...

Page 278: ...4 64 TCP_MISS 304 0 GET http www squid cache org DIRECT 206 168 0 9 1058444114 733 timestamp seconds and milliseconds since January 1st 1970 0 download duration not measured in WinRoute always set to...

Page 279: ...y win size of the receive window in bytes it is used for data flow control TCP only tcplen TCP payload size i e size of the data part of the packet in bytes TCP only 2 FTP protocol parser log records...

Page 280: ...01 51 Copy File User jsmith company com File server data www index html The Clientless SSL VPN interface and the corresponding record is available in WinRoute is for Windows only 22 13 Warning Log Th...

Page 281: ...lid password The third log informs on an authentication attempt by a user which does not exist johnblue Note With the above three examples the relevant records will also appear in the Security log 22...

Page 282: ...Chapter 22 Logs 282 Note If the page title cannot be identified i e for its content is compressed the Encoded content will be reported http www kerio com URL pages...

Page 283: ...ons Identities of individual clients are authenticated against a username and password transmitted also by secured connection so that unauthorized clients cannot connect to local networks Remote conne...

Page 284: ...affic rules For details refer to chapters 23 2 and 23 3 VPN server is available in the Interfaces tab of the Configuration Interfaces section as a spe cial interface Figure 23 1 Viewing VPN server in...

Page 285: ...omatic detection is not performed again Warning Make sure that the subnet for VPN clients does not collide with any local subnet WinRoute can detect a collision of the VPN subnet with local subnets Th...

Page 286: ...ficate fingerprint can be saved to the clipboard and pasted to a text file email mes sage etc Click Change SSL Certificate to set parameters for the certificate of the VPN server For the VPN server yo...

Page 287: ...ts to it can use hostnames within this network e g server Otherwise full name of the host including domain is required e g server company local DNS extension can be also resolved automatically or set...

Page 288: ...nced Options Listen on port The port on which the VPN server listens for incoming connections both TCP and UDP protocols are used The port 4090 is set as default under usual circumstances it is not ne...

Page 289: ...in the demilitarized zone at the VPN server s side is being added 23 2 Configuration of VPN clients The following conditions must be met to enable connection of remote clients to local networks via en...

Page 290: ...the VPN server is running at another port this service must be redefined The second rule allows communication between the firewall local network and VPN clients If the rules are set like this all VPN...

Page 291: ...etwork via the Internet VPN tunnel Note Each installation of WinRoute requires its own license see chapter 4 Setting up VPN servers First the VPN server must be allowed by the traffic policy and enabl...

Page 292: ...ast one end of each VPN tunnel must be switched to the active mode passive servers cannot initialize connection Configuration of a remote end of the tunnel When a VPN tunnel is being created identity...

Page 293: ...module at the other end of the tunnel DNS domain or subdomain must be used at both sides of the tunnel Note To provide correct forwarding of DNS queries sent from the WinRoute host at any side of the...

Page 294: ...that the corresponding tunnel has been disconnected the first connection establishment is attempted immediately after the tunnel is defined and upon clicking the Apply button in Configuration Interfa...

Page 295: ...outgoing connection for the Kerio VPN service from the firewall to the Internet If basic traffic rules are already created by the wizard refer to chapter 23 2 simply add a corresponding VPN tunnel in...

Page 296: ...y occur in case of a VPN client connecting to the WinRoute s VPN server To avoid the problems just described it is possible to go to the VPN tunnel definition dialog see chapter 23 3 or to the VPN ser...

Page 297: ...client is connected to the server when information in a routing table at any side of the tunnel or at the VPN server is changed periodically every 10 minutes The timeout starts upon each update regard...

Page 298: ...headquarter and a filial office by VPN tunnel connection of VPN clients is possible Suppose that both networks are already deployed and set according to the figure and that the Internet connection is...

Page 299: ...belonging to the host as the primary DNS server As a secondary DNS server a server where DNS requests addressed to other domains will be forwarded must be specified typically the ISP s DNS server Not...

Page 300: ...out whether the subnets do not collide i e whether the same subnet is not used at both ends of the tunnel If an IP address is tested successfully and an error is reported Unknown host when a cor resp...

Page 301: ...arter default traffic rules for Kerio VPN When the VPN tunnel is created customize these rules according to the restriction re quirements see item 6 Note To keep the example as simple and transparent...

Page 302: ...ry DNS server for the WinRoute host s interface connected to the LAN 1 local network It is not necessary to set DNS server at the interface connected to LAN 2 DNS configuration is applied globally to...

Page 303: ...addresses or enable cooperation of the DNS module with the DHCP server in case that IP addresses are assigned dynamically to these hosts For details see chapter 8 1 4 Enable the VPN server and configu...

Page 304: ...cording to the restriction requirements In the Local Traffic rule remove all items except those belonging to the local network of the company headquarters i e except the firewall and LAN 1 and LAN 2 D...

Page 305: ...guration of a filial office 1 Install WinRoute version 6 0 0 or later at the default gateway of the branch office server 2 Use Network Rules Wizard see chapter 7 1 to configure the basic traffic polic...

Page 306: ...default traffic rules for Kerio VPN When the VPN tunnel is created customize these rules according to the restriction re quirements Step 6 3 Customize DNS configuration as follows In the WinRoute s DN...

Page 307: ...the other hosts Note For proper functionality of DNS the DNS database must include records for hosts in a corresponding local network To achieve this save DNS names and IP addresses of local hosts int...

Page 308: ...be created If connected successfully the Connected status will be reported in the Adapter info column for both ends of the tunnel If the connection cannot be established we recommend you to check the...

Page 309: ...ilial office definition of VPN tunnel for the headquarters Figure 23 29 Filial office final traffic rules Note It is not necessary to perform any other customization of traffic rules The required rest...

Page 310: ...o redundant routes see chapter 23 5 is setting of routing between endpoints of individual tunnels In such a case it is necessary to set routing between individual endpoints of VPN tunnels by hand Auto...

Page 311: ...nfiguration see figure 23 30 Note For each installation of WinRoute a separate license for corresponding number of users is required For details see chapter 4 2 Configure and test connection of the lo...

Page 312: ...to one of the remote networks The passive endpoint of the tunnel must be created at a server with fixed public IP address Only active endpoints of VPN tunnels can be created at servers with dynamic IP...

Page 313: ...sic traffic policy in WinRoute To keep the example as simple as possible it is supposed that the access from the local network to the Internet is not restricted i e that access to all services is allo...

Page 314: ...forwarding option and define rules for names in the filial1 company com and filial2 company com domains To specify the for warding DNS server always use the IP address of the WinRoute host s inbound i...

Page 315: ...23 6 Example of a more complex Kerio VPN configuration 315 Figure 23 35 Headquarter TCP IP configuration at a firewall s interface connected to the local network...

Page 316: ...ble Note A free subnet which has been selected is now specified automatically in the VPN network and Mask entries Check whether this subnet does not collide with any other subnet in the headquarters o...

Page 317: ...gerprint of the VPN server of the London filial office as a specification of the fingerprint of the remote SSL certificate Figure 23 37 Headquarter definition of VPN tunnel for the London filial On th...

Page 318: ...cribed here is applied see figure 23 30 it is un recommended to use automatically provided routes In case of an automatic exchange of routes the routing within the VPN is not be ideal for example any...

Page 319: ...unnel connected to the Paris filial Figure 23 39 The headquarters definition of VPN tunnel for the Paris filial On the Advanced tab select the Use custom routes only option and set routes to the sub n...

Page 320: ...Chapter 23 Kerio VPN 320 Figure 23 40 The headquarters routing configuration for the tunnel connected to the Paris filial Figure 23 41 Headquarter final traffic rules...

Page 321: ...imple as possible it is supposed that the access from the local network to the Internet is not restricted i e that access to all services is allowed in step 4 In step 5 of the wizard select the Create...

Page 322: ...onnected to the local network at the remote side of the tunnel Figure 23 45 The London filial office DNS forwarding settings Set the IP address of this interface 172 16 1 1 as a primary DNS server for...

Page 323: ...ion of the fingerprint of the remote SSL certificate On the Advanced tab select the Use custom routes only option and set routes to headquar ters local networks At this point connection should be esta...

Page 324: ...Chapter 23 Kerio VPN 324 branch office server Figure 23 47 The London filial office definition of VPN tunnel for the headquarters...

Page 325: ...23 6 Example of a more complex Kerio VPN configuration 325 Figure 23 48 The London filial routing configuration for the tunnel connected to the headquarters...

Page 326: ...SSL certificate Figure 23 49 The London filial office definition of VPN tunnel for the Paris filial office On the Advanced tab select the Use custom routes only option and set routes to Paris local ne...

Page 327: ...e of a more complex Kerio VPN configuration 327 Figure 23 50 The London filial routing configuration for the tunnel connected to the Paris branch office Figure 23 51 The London filial office final tra...

Page 328: ...e access from the local network to the Internet is not restricted i e that access to all services is allowed in step 4 Figure 23 52 The Paris filial no restrictions are applied to accessing the Intern...

Page 329: ...IP address of this interface 172 16 1 1 as a primary DNS server for the WinRoute host s interface connected to the LAN 1 local network It is not necessary to set DNS at the interface connected to LAN...

Page 330: ...Chapter 23 Kerio VPN 330 Figure 23 55 The Paris filial office VPN server configuration...

Page 331: ...l for the headquarters On the Advanced tab select the Use custom routes only option and set routes to headquar ters local networks At this point connection should be established i e the tunnel should...

Page 332: ...Chapter 23 Kerio VPN 332 Paris branch office server Figure 23 57 The Paris filial routing configuration for the tunnel connected to the headquarters...

Page 333: ...ice definition of VPN tunnel for the London filial office On the Advanced tab select the Use custom routes only option and set routes to London s local networks Like in the previous step check whether...

Page 334: ...lial office final traffic rules connect to this branch office VPN test The VPN configuration has been completed by now At this point it is recommended to test reachability of the remote hosts in the o...

Page 335: ...is not possible or useful to use Kerio VPN Client This chapter addresses configuration details needed for proper functionality of the SSL VPN interface The SSL VPN interface is described thoroughly in...

Page 336: ...ort 443 standard port of the HTTPS service Click Change SSL Certificate to create a new certificate for the SSL VPN service or to import a certificate issued by a trustworthy certification authority W...

Page 337: ...cal hosts from remote networks are not scanned by antiviruses files downloaded from private networks are considered as trustwor thy Settings of antivirus check can be changed in antivirus configuratio...

Page 338: ...exported to a tgz package the tar archive compressed by gzip which includes all the key WinRoute configuration files Optionally it is possible to include the web interface s VPN server s and SSL VPN...

Page 339: ...cks up of configuration user accounts data DHCP server database etc logs cfg Log configurations Note The data in these files are saved in XML format so that it can be easily modified by an advanced us...

Page 340: ...tabase for statistics of the WinRoute web inter face Handling configuration files We recommend that WinRoute Firewall Engine be stopped prior to any manipulation with the configuration files backups r...

Page 341: ...User at the client host is required to authenticate to this domain i e local user accounts cannot be used for this purpose 5 The NT domain or the Active Directory authentication method see chapter 15...

Page 342: ...key with the core version Mozilla 1 3 or later NTLM authentication process NTLM authentication process differs depending on a browser used Internet Explorer NTLM authentication is performed without us...

Page 343: ...configuration parameter s using the following instructions For direct connection proxy server is not set in the browser Look up the network automatic ntlm auth trusted uris parameter Use the WinRoute...

Page 344: ...t is not possible to connect directly to the Internet see chapter 8 4 Example of a client configuration web browser Web browsers allow to set the proxy server either globally or for individual protoco...

Page 345: ...s either single connections to FTP server by the Net FTP New Connection option available in the main menu or creating a bookmark for repeated connec tions Net FTP Connect The proxy server must be conf...

Page 346: ...the link may stay hung up even if the local network sends requests for Internet connection or it may be dialed unintentionally Information provided in this chapter should help you understand the prin...

Page 347: ...s a default gateway at any interface packets to the Inter net would be routed via this interface no matter where it is actually connected to and WinRoute would not dial the line 2 Only one link can be...

Page 348: ...t and the dialing will be available If clients DNS server is located on the Internet the line will be dialed upon a client s DNS query If a local DNS server is used the line will be dialed upon a quer...

Page 349: ...ly use the hosts system file of the WinRoute host for details see chapter 8 1 Note Undesirable traffic causing unintentional dialing of a link can be blocked by WinRoute traffic rules see chapter 7 3...

Page 350: ...com The host is called pc1 The full name of the host is pc1 company com whereas local name in this domain is pc1 Local names are usually stored in the database of the local DNS server in this example...

Page 351: ...1 Essential Information To send a request to our technical support use the contact form at http support kerio com To be able to help you solve your problems the best and in the shortest possible time...

Page 352: ...e number Please specify whether you have purchased any WinRoute license or if you use the trial version Requirements of owners of valid licenses are always preferred 26 2 Tested in Beta version As to...

Page 353: ...and Safari are registered trademarks or trademarks of Apple Computer Inc Linux is registered trademark kept by Linus Torvalds Mozilla and Firefox are registered trademarks of Mozilla Foundation Kerber...

Page 354: ...odified version of the h323plus library distributed under Mozilla Public License MPL The original source code is available at http h323plus org KIPF driver Kerio IP filter driver for Linux WinRoute s...

Page 355: ...n libkvnet tgz libcurl Copyright 1996 2008 Daniel Stenberg libiconv libiconv converts from one character encoding to another through Unicode conversion WinRoute include a modified version of this libr...

Page 356: ...ySize Inc All rights reserved Prototype Framework in JavaScript Copyright Sam Stephenson The Prototype library is freely distributable under the terms of a MIT license For details see the Prototype we...

Page 357: ...irtual server keeps running Connections A virtual bidirectional communication channel between two hosts See also TCP DDNS DDNS Dynamic Domain Name System is DNS with the feature of automatic update of...

Page 358: ...the client This mode is suitable for cases where the firewall is at the server s side however it is not supported by some clients e g by web browsers passive mode data connection is established also...

Page 359: ...ode or for encryption of traffic between two hosts so called transport mode Kerberos Kerberos is a system used for secure user authentication in network environments It was developed at the MIT univer...

Page 360: ...k interface P2P network Peer to Peer P2P networks are world wide distributed systems where each node can represent both a client and a server These networks are used for sharing of big volumes of data...

Page 361: ...active mode when data connection to a client is established by a server and to filter traffic by the corre sponding protocol e g limited access to Web pages classified by URLs anti virus check of down...

Page 362: ...es over HTTP protocol Nowadays it is used by almost all standard Internet protocols SMTP POP3 IMAP LDAP etc At the beginning of communication an encryption key is requested and transferred using asymm...

Page 363: ...t establish new connections nor it provides reliable and sequential data delivery nor it enables error correction or data stream con trol It is used for transfer of small sized data i e DNS queries or...

Page 364: ...guration 130 detection principle 135 beta version 352 BOOTP 118 C cache directory 125 DNS 105 size 126 URL exceptions 127 certificate SSL VPN 336 VPN server 286 Web Interface 144 Clientless SSL VPN 33...

Page 365: ...d 57 346 leased line 54 load balancing 66 unintentional dialing 349 IPSec 87 K Kerberos 196 Kerio Administration Console 23 Kerio Web Filter 154 deployment 156 parameters configuration 155 website cat...

Page 366: ...0 R ranges time 181 182 RAS 118 registration at the Kerio website 43 of purchased product 39 trial version 36 relay SMTP server 229 routing table 224 static routes 225 S services 82 183 SIP 186 SSL VP...

Page 367: ...01 configuration 138 V VPN 283 client 198 213 289 configuration example 297 Kerio Clientless SSL VPN 335 Kerio VPN 283 routing 296 server 48 284 SSL certificate 286 tunnel 291 VPN client 289 DNS 286 r...

Page 368: ...368...