1. Manuals
  2. Brands
  3. Kerio Tech Manuals
  4. Software
  5. KERIO WINROUTE FIREWALL 6
  6. Administrator's manual

Kerio Tech KERIO WINROUTE FIREWALL 6 Administrator's Manual

Hide thumbs Also See for KERIO WINROUTE FIREWALL 6:
Table of Contents

Advertisement

Quick Links

Download this manual
Kerio WinRoute Firewall 6
Administrator's Guide
Kerio Technologies s.r.o.

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the KERIO WINROUTE FIREWALL 6 and is the answer not in the manual?

Questions and answers

Related Manuals for Kerio Tech KERIO WINROUTE FIREWALL 6

Summary of Contents for Kerio Tech KERIO WINROUTE FIREWALL 6

  • Page 1 Kerio WinRoute Firewall 6 Administrator’s Guide Kerio Technologies s.r.o.
  • Page 2 Kerio Technologies s.r.o. All rights reserved. This guide provides detailed description on configuration and administration of Kerio WinRoute Firewall, version 6.7.1. All additional modifications and updates reserved. User interfaces Kerio StaR and Kerio Clientless SSL-VPN are focused in a standalone document, Kerio WinRoute Firewall —...

  • Page 3: Table Of Contents

    Contents Quick Checklist ..............7 Introduction .
  • Page 4 Policy routing ............95 User accounts and groups in traffic rules .
  • Page 5 User Accounts and Groups ........... 190 15.1 Viewing and definitions of user accounts .
  • Page 6 22.9 Filter Log ............. . 276 22.10 Http log .

  • Page 7: Quick Checklist

    Chapter 1 Quick Checklist In this chapter you can find a brief guide for a quick setup of Kerio WinRoute Firewall (referred to as “WinRoute” within this document). After this setup the firewall should be immediately available and able to share your Internet connection and protect your local network. For a detailed guide refer to the separate WinRoute —...
  • Page 8 Chapter 1 Quick Checklist Select an antivirus and define types of objects that will be scanned. If you choose the integrated McAfee antivirus application, check automatic update settings and edit them if necessary. External antivirus must be installed before it is set in WinRoute, otherwise it is not available in the combo box.

  • Page 9: Introduction

    Chapter 2 Introduction 2.1 What’s new in 6.7.1 In version 6.7.1, WinRoute brings the following new features: Kerio WinRoute Firewall Software Appliance / VMware Virtual Appliance Kerio WinRoute Firewall is now available as a so called software appliance (Software Ap- pliance / VMware Virtual Appliance).

  • Page 10: Conflicting Software

    Chapter 2 Introduction Support for Windows 7 Kerio WinRoute Firewall now includes full support for the new operating system Microsoft Windows 7. 2.2 Conflicting software WinRoute can be run with most of common applications. However, there are certain applica- tions that should not be run at the same host as WinRoute for this could result in collisions. The computer where WinRoute is installed (the host) can be also used as a workstation.

  • Page 11: System Requirements

    2.3 System requirements 53/UDP — DNS module, 67/UDP — DHCP server, 1900/UDP — the SSDP Discovery service, 2869/TCP — the UPnP Host service. The SSDP Discovery and UPnP Host services are included in the UPnP support (refer to chapter 18.2). 44333/TCP+UDP —...

  • Page 12: Installation - Windows

    Chapter 2 Introduction 50 MB free disk space for installation of Kerio WinRoute Firewall. Disk space for statistics (see chapter 21) and logs (in accordance with traffic flow and logging level — see chapter 22). to keep the installed product (especially its configuration files) as secure as possible, it is recommended to use the NTFS file system.
  • Page 13 2.4 Installation - Windows Note: WinRoute installation packages include the Kerio Administration Console. The separate Kerio Administration Console installation package (file kerio-kwf-admin * .exe) is de- signed for full remote administration from another host. This package is identical both for 32-bit and 64-bit Windows systems.
  • Page 14 Chapter 2 Introduction Figure 2.1 Installation — customization by selecting optional components Kerio WinRoute Firewall Engine — core of the application. VPN Support — proprietary VPN solution developed by Kerio Technologies (Kerio VPN). Administration Console — the Kerio Administration Console application (universal con- sole for all server applications of Kerio Technologies) including WinRoute administra- tion tools.
  • Page 15 2.4 Installation - Windows all checked components will be installed or updated, all checked components will not be installed or will be removed During an update, all components that are intended to remain must be ticked. The installation program does not allow to install the Administration Console separately. Installation of the Administration Console for the full remote administration requires a separate installation package (file kerio-kwf-admin * .exe).
  • Page 16 Chapter 2 Introduction Universal Plug and Play Device Host and SSDP Discovery Service The services support UPnP (Universal Plug and Play) in the Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 operating systems. However, these services collide with the UPnP support in WinRoute (refer to chapter 18.2). The WinRoute installation includes a dialog where it is possible to disable colliding system services.

  • Page 17: Initial Configuration Wizard (Windows)

    2.5 Initial configuration wizard (Windows) warning log. This helps assure that the service will be enabled/started immediately after the WinRoute installation. On Windows XP Service Pack 2, Windows Server 2003, Windows Vista and Windows Server 2008, WinRoute registers in the Security Center automatically. This implies that the Security Center always indicates firewall status correctly and it does not display warn- ings informing that the system is not protected.
  • Page 18 Chapter 2 Introduction Password and its confirmation must be entered in the dialog for account settings. Name Admin can be changed in the Username edit box. Note: If the installation is running as an upgrade, this step is skipped since the administrator account already exists.

  • Page 19: Upgrade And Uninstallation - Windows

    2.6 Upgrade and Uninstallation - Windows Enable remote access This option enables full access to the WinRoute computer from a selected IP address Remote IP address IP address of the computer from where you will be connecting (e.g. terminal services client).

  • Page 20: Installation - Software Appliance And Vmware Virtual Appliance

    Chapter 2 Introduction Figure 2.5 Uninstallation — asking user whether files created in WinRoute should be deleted Keeping these files may be helpful for copying of the configuration to another host or if it is not sure whether the SSL certificates were issued by a trustworthy certification authority. During uninstallation, the WinRoute installation program automatically refreshes the original status of the Windows Firewall / Internet Connection Sharing, Universal Plug and Play Device Host) and SSDP Discovery Service system services.
  • Page 21 2.7 Installation - Software Appliance and VMware Virtual Appliance Start of the installation Software Appliance ISO image of the installation CD can be burned on a physical CD and then the CD can be used for installation of the system on the target computer (either physical or virtual). In case of virtual computers, the ISO image can be also connected as a virtual CD ROM, without the need to burn the installation ISO file on a CD.
  • Page 22 Chapter 2 Introduction virtual computer allows this) adapter or install WinRoute Software Appliance on another type of virtual machine. If such issue arises, it is highly recommended to consult the problem with the Kerio Technologies technical support (see chapter 26). provided that no network adapter can be detected, it is not possible to continue installing WinRoute.

  • Page 23: Upgrade - Software Appliance / Vmware Virtual Appliance

    2.8 Upgrade - Software Appliance / VMware Virtual Appliance 2.8 Upgrade - Software Appliance / VMware Virtual Appliance WinRoute can be upgraded by the following two methods: by starting the system from the installation CD (or a mounted ISO) of the new version. The installation process is identical with the process of a new installation with an the only exception that at the start the installer asks you whether to execute an upgrade (any existing data will be kept) or a new installation (all configuration files, statistics,...

  • Page 24: Winroute Engine Monitor (Windows)

    Chapter 2 Introduction 2.10 WinRoute Engine Monitor (Windows) WinRoute Engine Monitor is a standalone utility used to control and monitor the WinRoute Firewall Engine status. The icon of this component is displayed on the toolbar. Figure 2.6 WinRoute Engine Monitor icon in the Notification Area If WinRoute Engine is stopped, a white crossed red spot appears on the icon.

  • Page 25: The Firewall's Console (Software Appliance / Vmware Virtual Appliance)

    2.11 The firewall’s console (Software Appliance / VMware Virtual Appliance) Note: If a limited version of WinRoute is used (e.g. a trial version), a notification is displayed 7 days before its expiration. This information is displayed until the expiration. WinRoute Engine Monitor is available in English only. 2.11 The firewall’s console (Software Appliance / VMware Virtual Appli- ance) On the console of the computer where Kerio WinRoute Firewall Software Appliance / VMware...
  • Page 26 Chapter 2 Introduction Shutting down / restarting the firewall If you need to shut your computer down or reboot it, these options provide secure closure of the Kerio WinRoute Firewall Engine and shutdown of the firewall’s operating system. Restoring default configuration This option restores the default firewall settings as installed from the installation CD or upon the first startup of the VMware virtual host.

  • Page 27: Winroute Administration

    Chapter 3 WinRoute Administration For WinRoute configuration, two tools are available: The Web Administration interface The Web Administration interface allows both remote and local administration of the firewall via a common web browser. In the current version of WinRoute, the Web Admin- istration allows configuration of all crucial WinRoute parameters: network interfaces, traffic rules,...

  • Page 28: Administration Console - The Main Window

    Chapter 3 WinRoute Administration The following chapters of this document address individual sections of the Administration Console, the module which allows full configuration. The Web Administration interface is almost identical as the Administration Console and its sections. Note: The Web Administration interface and the Administration Console for WinRoute are avail- able in 16 localization versions.
  • Page 29 3.1 Administration Console - the main window The left column contains the tree view of sections. The individual sections of the tree can be expanded and collapsed for easier navigation. Administration Console remembers the current tree settings and uses them upon the next login. In the right part of the window, the contents of the section selected in the left column is displayed (or a list of sections in the selected group).
  • Page 30 Chapter 3 WinRoute Administration for authentication of the firewall when connecting to the administration from another host (see Kerio Administration Console — Help). Administrator’s guide — this option displays the administrator’s guide in HTML Help format. For details about help files, see Kerio Administration Console — Help manual.

  • Page 31: Administration Console - View Preferences

    3.2 Administration Console - view preferences Note: After a connection failure, the Web Administration interface is redirected and opened at the login page automatically. Any unsaved changes will get lost. 3.2 Administration Console - view preferences Many sections of the Administration Console are in table form where each line represents one record (e.g.

  • Page 32: Product Registration And Licensing

    Chapter 4 Product Registration and Licensing When purchased, Kerio WinRoute Firewall must be registered, Upon registration of the product, so called license key is generated.(the license.key file — see chapter 25.1). If the key is not imported, WinRoute will behave as a full-featured trial version and its license will be limited by the expiration timeout.

  • Page 33: License Information

    4.2 License information cannot be updated. The time for updates can be extended by purchasing a sub- scription. product expiration date — specifies the date by which WinRoute stops functioning and blocks all TCP/IP traffic at the host where it is installed. If this happens, a new valid license key must be imported or WinRoute must be uninstalled.
  • Page 34 Chapter 4 Product Registration and Licensing Figure 4.1 Administration Console welcome page providing license information Product name of the product (WinRoute) Copyright Copyright information. Homepage Link to the Kerio WinRoute Firewall homepage (information on pricing, new versions, etc.). Click on the link to open the homepage in your default browser. Operational system Name of the operating system on which the WinRoute Firewall Engine service is running.

  • Page 35: Registration Of The Product In The Administration Console

    4.3 Registration of the product in the Administration Console Number of users Maximal number of hosts (unique IP addresses) that can be connected to the Internet via WinRoute at the same time (for details, refer to chapter 4.6). Company Name of the company (or a person) to which the product is registered. Depending on the current license, links are displayed at the bottom of the image: For unregistered versions: Become a registered trial user —...
  • Page 36 Chapter 4 Product Registration and Licensing Registration of the trial version By registrating the trial version, users get free email and telephonic technical support for the entire trial period. In return, Kerio Technologies gets valuable feedback from these users. Registration of the trial version is not obligatory. However, it is recommended since it provides certain benefits.
  • Page 37 4.3 Registration of the product in the Administration Console Figure 4.3 Trial version registration — user information Figure 4.4 Trial version registration — other information The fourth page provides the information summary. If any information is incorrect, use the Back button to browse to a corresponding page and correct the data. The last page of the wizard provides user’s Trial ID.
  • Page 38 Chapter 4 Product Registration and Licensing Figure 4.5 Registration of the trial version — summary Figure 4.6 Trial version registration — Trial ID At this point, an email message (in the language set in the Administration Console) where confirmation of the registration is demanded is sent to the email address specified on the page two of the wizard.
  • Page 39 4.3 Registration of the product in the Administration Console Registration of the purchased product Follow the Register product with a purchased license number link to run the registration wiz- ard. On the first page of the wizard, it is necessary to enter the license number of the basic product delivered upon its purchase and retype the security code displayed at the picture in the text field (this protects the server from misuse).
  • Page 40 Chapter 4 Product Registration and Licensing Figure 4.8 Product registration — license numbers of additional components, add-ons and subscription...
  • Page 41 4.3 Registration of the product in the Administration Console Figure 4.9 Product registration — user information Page four includes optional information. It is not obligatory to answer these questions, however, the answers help Kerio Technologies accommodate demands of as many cus- tomers as possible.
  • Page 42 Chapter 4 Product Registration and Licensing Figure 4.10 Product registration — other information Figure 4.11 Product registration — summary The license key is generated only for the operating system on which WinRoute was installed during the registration (Windows / Linux). The license can be used for any platform but the license key is always generated for the particular platform only.

  • Page 43: Product Registration At The Website

    4.4 Product registration at the website work connection, etc.), simply restart the wizard and repeat the registration. 4.4 Product registration at the website If, by any reason, registration of WinRoute cannot be performed from the Administration Con- sole, it is still possible to register the product at Kerio Technologies website. To open the registration form, use the Support Register License option in the main menu.
  • Page 44 Chapter 4 Product Registration and Licensing Administrators are informed in two ways: By a pop-up bubble tip (this function is featured by the WinRoute Engine Monitor mod- ule), by an pop-up window upon a login to the Administration Console (only in case of expiration of subscription).

  • Page 45: User Counter

    4.6 User counter 4.6 User counter This chapter provides a detailed description on how WinRoute checks whether number of licensed users has not been exceeded. The WinRoute license does not limit number of user accounts. Number of user accounts does not affect number of licensed users.
  • Page 46 Chapter 4 Product Registration and Licensing License release Idleness time (i.e. time for which no packet with a corresponding IP address meeting all conditions is detected) is monitored for each record in the table of clients. If the idleness time of a client reaches 15 minutes, the corresponding record is removed from the table and the number of licenses is decreased by 1.

  • Page 47: Network Interfaces

    Chapter 5 Network interfaces WinRoute is a network firewall. This implies that it represents a gateway between two or more networks (typically between the local network and the Internet) and controls traffic passing through network adapters (Ethernet, WiFi, dial-ups, etc.) which are connected to these net- works.
  • Page 48 Chapter 5 Network interfaces change of a network adapter etc., there is no need to edit traffic rules — simple adding of the new interface in the correct group will do. In WinRoute, the following groups of interfaces are defined: Internet interfaces —...
  • Page 49 you do not consider RAS clients as parts of trustworthy networks for any reason, you can move the Dial-In interface to Other interfaces. Note: If both RAS server and WinRoute are used, the RAS server must be configured to assign clients IP addresses of a subnet which is not used by any segment of the local network.
  • Page 50 Chapter 5 Network interfaces IP address of the primary DNS server set on the interface. Hardware (MAC) address of a corresponding network adapter. This entry is empty for dial-ups as its use would be meaningless there. Use the buttons at the bottom of the interface list to remove or edit properties of the chosen interface.
  • Page 51 In WinRoute, it is specify to specify a special name for each interface (names taken from the operating system can be confusing and the new name may make it clear). It is also possible to change the group of the interface (Internet, secure local network, another network —...
  • Page 52 Chapter 5 Network interfaces Adding new interface (Software Appliance / VMware Virtual Appliance) In the Software Appliance / VMware Virtual Appliance edition, WinRoute allows to add new network interfaces (dial-up, PPPoE and PPTP connections) right in the administration console. Click on Add to open a menu and select type of the new interface (dial-up can be added only if an analog or ISDN modem is installed on the firewall host).

  • Page 53: Internet Connection

    Chapter 6 Internet Connection The basic function of WinRoute is connection of the local network to the Internet via one or more Internet connections (Internet links). Depending on number and types of Internet links, WinRoute provides various options of Internet connection: A Single Internet Link —...

  • Page 54: Persistent Connection With A Single Link

    Chapter 6 Internet Connection This involves selection of the Internet connection type in the Configuration Interfaces sec- tion of the WinRoute configuration, setting corresponding interfaces for connection to the Internet and definition of corresponding traffic rules (see chapter 7.3). Hint All necessary settings can be done semi-automatically with use of Traffic Policy Wizard —...
  • Page 55 6.1 Persistent connection with a single link Figure 6.1 Traffic Policy Wizard — persistent connection with a single link Figure 6.2 Network Policy Wizard — selection of an interface for the Internet connection to configure parameters of the selected interface, to create a new interface (PPPoE, PPTP or dial-up).
  • Page 56 Chapter 6 Internet Connection Resulting interface configuration When you finish set-up in Traffic Policy Wizard, the resulting configuration can be viewed under Configuration Interfaces and edited if desirable. Figure 6.3 Configuration of interfaces — connection by a single leased link The Internet Interfaces groups includes only card Internet selected in the third page of the wizard.

  • Page 57: Connection With A Single Leased Link - Dial On Demand

    6.2 Connection with a single leased link - dial on demand 6.2 Connection with a single leased link - dial on demand If the WinRoute host is connected to the Internet via dial-up, WinRoute can automatically dial the connection when users attempt to access the Internet. WinRoute provides the following options of dialing/hanging control: Line is dialed when a request from the local network is received.
  • Page 58 Chapter 6 Internet Connection Figure 6.4 Traffic Policy Wizard — dial on demand Figure 6.5 Network Policy Wizard — selection of an interface for the Internet connection to configure parameters of the selected interface, to create a new interface (PPPoE, PPTP or dial-up). For details on network interfaces, see chapter 5.
  • Page 59 6.2 Connection with a single leased link - dial on demand Figure 6.6 Configuration of interfaces — an on-demand dial link The Internet interfaces group can include multiple dial-ups. However, only one of these links can be set for on-demand dialing. If another link is dialed manually, WinRoute will route packets to the corresponding destination network in accordance with the system routing table (see also chapter 18.1) and perform IP address translation (NAT).
  • Page 60 Chapter 6 Internet Connection Figure 6.7 Interface properties — dialing settings efficient to keep the link up persistently even in times with dense network communica- tion. For these purposes, it is possible to set time intervals for persistent connection and/or hang-up.
  • Page 61 6.2 Connection with a single leased link - dial on demand connection is recovered automatically. If the connection is set to be hung-up at the moment of the outage, the con- nection will not be recovered. In mode of on-demand dial (i.e. outside the intervals defined), connection will be recovered in response to the first request (i.e.

  • Page 62: Connection Failover

    Chapter 6 Internet Connection Warning WinRoute is running in the operating system as a service. Therefore, external applica- tions and operating system’s commands will run in the background only (in the SYSTEM account). The same rules are applied for all external commands and external programs called by scripts.
  • Page 63 6.3 Connection Failover Warning Connection failover is relevant only if performed by a persistent connection (i.e. the primary connection uses a network card or a persistently connected dial-up). Failing that, the sec- ondary connection would be activated upon each hang-up of the primary link automatically. Configuration with the wizard On the second page of the Traffic Policy Wizard (see chapter 7.1), select Multiple Internet Links —...
  • Page 64 Chapter 6 Internet Connection Figure 6.10 Traffic Policy Wizard — failover of a leased link by a dial-up Resulting interface configuration When you finish set-up in Traffic Policy Wizard, the resulting configuration can be viewed under Configuration Interfaces and edited if desirable. Figure 6.11 Configuration of interfaces —...
  • Page 65 6.3 Connection Failover The Internet interfaces group includes the Internet and the Dial-up link selected as primary and secondary (failover) on the third page of the wizard. The information provided in the Internet column states which link is used for primary and which one for secondary connection. The Status column informs of the link status (up/down) as well as of the fact whether the link is active (just being used as Internet connection at the moment) or not.

  • Page 66: Network Load Balancing

    Chapter 6 Internet Connection Note: Probe hosts must not block ICMP Echo Requests (PING) since such requests are used to test availability of these hosts — otherwise the hosts will be always considered as unavailable. This is one of the cases where the primary default gateway cannot be used as the testing computer.
  • Page 67 6.4 Network Load Balancing Both the primary and the secondary link may be configured automatically by the DHCP proto- col. In that case, WinRoute looks all required parameters up in the operating system. It is recommended to check functionality of individual Internet links out before installing WinRoute.
  • Page 68 Chapter 6 Internet Connection On the third page of the wizard, add all links (one by one) which you intend to use for traffic load balancing. In the Software Appliance / VMware Virtual Appliance edition, the wizard allows: to configure parameters of the selected interface, to create a new interface (PPPoE, PPTP or dial-up).
  • Page 69 6.4 Network Load Balancing Resulting interface configuration When you finish set-up in Traffic Policy Wizard, the resulting configuration can be viewed under Configuration Interfaces and edited if desirable. Figure 6.15 Configuration of interfaces — network traffic load balancing The Internet interfaces group includes the Internet 4Mbit and the Internet 8Mbit link selected as an interface for Internet traffic load balancing on the third page of the wizard.
  • Page 70 Chapter 6 Internet Connection Advanced settings (optimization, dedicated links, etc.) In basic configuration, network load balancing is applied automatically with respect to their proposed speeds (see above). It is possible to use traffic rules to modify this algorithm (e.g. by dedicating one link for a particular traffic).

  • Page 71: Traffic Policy

    Chapter 7 Traffic Policy Traffic Policy belongs to of the basic WinRoute configuration. All the following settings are displayed and can be edited within the table: security (protection of the local network including the WinRoute host from Internet intrusions IP address translation (or NAT, Network Address Translation — technology which en- ables transparent access of the entire local network to the Internet with one public IP address only) access to the servers (services) running within the local network from the Internet...
  • Page 72 Chapter 7 Traffic Policy Figure 7.1 Traffic Policy Wizard — introduction Steps 2 and 3— internet connection settings On the second page of the wizard, select how the LAN will be connected to the Internet with WinRoute (leased link, dial-up, leased link with connection failover or multiple links with net- work traffic load balancing).
  • Page 73 7.1 Network Rules Wizard Figure 7.2 Network Policy Wizard — enabling access to Internet services Allow access to the following services only Only selected services will be available from the local network. Note: Defined restrictions will be applied also to the firewall itself. In this dialog, only basic services are listed (it does not depend on what services were defined in WinRoute —...
  • Page 74 Chapter 7 Traffic Policy Figure 7.3 Network Policy Wizard — Kerio VPN Step 6 — specification of servers that will be available within the local network If any service (e.g. WWW server, FTP server, etc. which is intended be available from the Internet) is running on the WinRoute host or another host within the local network, define it in this dialog.
  • Page 75 7.1 Network Rules Wizard Figure 7.5 Network Policy Wizard — mapping of the local service Note: Access to the Internet through WinRoute must be defined at the default gateway of the host, otherwise the service will not be available. Service Selection of a service to be enabled.
  • Page 76 Chapter 7 Traffic Policy Figure 7.7 Traffic Policy generated by the wizard FTP Service and HTTP Service These rules map all HTTP and HTTPS services running at the host with the 192.168.1.10 IP address (step 6). These services will be available at IP addresses of the “outbound” interface of the firewall (i.e.
  • Page 77 7.1 Network Rules Wizard This rule sets that in all packets routed from the local network to the Internet, the source (private) IP address will be replaced by the address of the Internet interface through which the packet is sent from the firewall. Only specified services can be accessed by the Internet connection (the wizard, page 4).

  • Page 78: How Traffic Rules Work

    Chapter 7 Traffic Policy 7.2 How traffic rules work The traffic policy consists of rules ordered by their priority. When the rules are applied, they are processed from the top downwards and the first rule is applied that meets connection packet parameters —...
  • Page 79 7.3 Definition of Custom Traffic Rules The background color of each row with this rule can be defined as well. Use the Transparent option to make the background transparent (background color of the whole list will be used, white is usually set). Colors allow highlighting of rules or distinguishing of groups of rules (e.g.
  • Page 80 Chapter 7 Traffic Policy Warning If either the source or the destination computer is specified by DNS name, WinRoute tries to identify its IP address while processing a corresponding traffic rule. If no corresponding record is found in the cache, the DNS forwarder forwards the query to the Internet.
  • Page 81 7.3 Definition of Custom Traffic Rules Figure 7.11 Traffic rule — VPN clients / VPN tunnel in the source/destination address definition tunnel The All option covers all networks connected by all VPN tunnels defined which are active at the particular moment. For detailed information on the proprietary VPN solution integrated in WinRoute, refer to chapter 23.
  • Page 82 Chapter 7 Traffic Policy Note: If you require authentication for any rule, it is necessary to ensure that a rule ex- ists to allow users to connect to the firewall authentication page. If users use each various hosts to connect from, IP addresses of all these hosts must be considered. If user accounts or groups are used as a source in the Internet access rule, auto- matic redirection to the authentication page nor NTLM authentication will work.
  • Page 83 7.3 Definition of Custom Traffic Rules Figure 7.13 Traffic rule — setting a service Use the Remove button to remove all items defined (the Nothing value will be displayed in the item list). Whenever at least one service is added, the Nothing value will be removed automatically.
  • Page 84 Chapter 7 Traffic Policy Figure 7.14 Traffic rule — selecting an action Translation Source or/and destination IP address translation. Source IP address translation (NAT — Internet connection sharing) The source IP address translation can be also called IP masquerading or Internet connection sharing.
  • Page 85 7.3 Definition of Custom Traffic Rules Figure 7.15 Traffic rule — NAT — automatic IP address selection load balancing dividing the traffic among individual links may be not optimal in this case. Load balancing per connection — for each connection established from the LAN to the Internet will be selected an Internet link to spread the load optimally.
  • Page 86 Chapter 7 Traffic Policy Figure 7.16 Traffic rule — NAT — NAT with specific interface (its IP address) failure. If set as suggested, WinRoute will behave like in mode of automatic interface selection (see above) if the such failure occurs. NAT with a specified IP address It is also possible to specify an IP address for NAT which will be used as the source IP address for all packets sent from the LAN to the Internet.
  • Page 87 7.3 Definition of Custom Traffic Rules Full cone NAT For all NAT methods it is possible to set mode of allowing of incoming packets coming from any address — so called Full cone NAT. If this option is off, WinRoute performs so called Port restricted cone NAT. In outgoing packets transferred from the local network to the Internet, WinRoute replaces the source IP address of the particular interface by public address of the firewall (see above).
  • Page 88 Chapter 7 Traffic Policy Destination NAT (port mapping): Destination address translation (also called port mapping) is used to allow access to services hosted in private local networks behind the firewall. All incoming packets that meet defined rules are re-directed to a defined host (destination address is changed). This actually “moves” to the Internet interface of the WinRoute host (i.e.
  • Page 89 7.3 Definition of Custom Traffic Rules Figure 7.19 Traffic rule — packet/connection logging Note: Connection cannot be logged for blocking and dropping rules (connection is not even established). The following columns are hidden in the default settings of the Traffic Policy window (for details on showing and hiding columns, see chapter 3.2): Valid on Time interval within which the rule will be valid.

  • Page 90: Basic Traffic Rule Types

    Chapter 7 Traffic Policy Default — all necessary protocol inspectors (or inspectors of the services listed in the Service entry) will be applied on traffic meeting this rule. None — no inspector will be applied (regardless of how services used in the Service item are defined).
  • Page 91 7.4 Basic Traffic Rule Types Destination The Internet interfaces group. With this group, the rule is usable for any type of Internet connection (see chapter 6) and it is not necessary to modify it even it Internet connection is changed. Service This entry can be used to define global limitations for Internet access.
  • Page 92 Chapter 7 Traffic Policy Figure 7.23 Traffic rule that makes the local web server available from the Internet Source Mapped services can be accessed by clients both from the Internet and from the local network. For this reason, it is possible to keep the Any value in the Source entry (or it is possible to list all relevant interface groups or individual groups —...
  • Page 93 7.4 Basic Traffic Rule Types dropped. Therefore, it is recommended to put all rules for mapped services at the top of the table of traffic rules. Note: If there are separate rules limiting access to mapped services, these rules must precede mapping rules.
  • Page 94 Chapter 7 Traffic Policy Limiting Internet Access Sometimes, it is helpful to limit users access to the Internet services from the local network. Access to Internet services can be limited in several ways. In the following examples, the limitation rules use IP translation. There is no need to define other rules as all traffic that would not meet these requirements will be blocked by the default "catch all"...

  • Page 95: Policy Routing

    7.5 Policy routing Alternatively you can define the rule to allow only authenticated users to access specific services. Any user that has a user account in WinRoute will be allowed to access the Internet after authenticating to the firewall. Firewall administrators can easily monitor which services and which pages are opened by each user (it is not possible to connect anonymously).
  • Page 96 Chapter 7 Traffic Policy marginal traffic (web browsing, online radio channels, etc.). To meet this crucial requirement of an enterprise data traffic, it is necessary to consider and employ, besides the destination IP address, additional information when routing packets from the LAN to the Internet, such as source IP address, protocol, etc.
  • Page 97 7.5 Policy routing Figure 7.31 Policy routing — setting NAT for a reserved link Figure 7.32 Policy routing — a link reserved for a specific server Note: In the second rule, automatic interface selection is used. This means that the Internet 4Mbit link is also used for network traffic load balancing.

  • Page 98: User Accounts And Groups In Traffic Rules

    Chapter 7 Traffic Policy IP address will be used). To any other services, load balancing per connection will be applied — thus maximally efficient use of the capacity of available links will be reached. Meeting of the requirements will be guaranteed by using two NAT traffic rules — see fig- ure 7.33.

  • Page 99: Partial Retirement Of Protocol Inspector

    7.7 Partial Retirement of Protocol Inspector counting reasons — see chapter 4.6). However, this NAT rule blocks any connection unless the user is authenticated. Enabling automatic authentication The automatic user authentication issue can be solved easily as follows: Add a rule allowing an unlimited access to the HTTP service before the NAT rule. Figure 7.35 These traffic rules enable automatic redirection to the login page In URL rules (see chapter 12.2), allow specific users to access any Web site and deny any access to other users.
  • Page 100 Chapter 7 Traffic Policy Example A banking application (client) communicates with the bank’s server through its proper proto- col which uses TCP protocol at the port 2000. Supposing the banking application is run on a host with IP address 192.168.1.15 and it connects to the server server.bank.com. This port is used by the Cisco SCCP protocol.

  • Page 101: Use Of Full Cone Nat

    7.8 Use of Full cone NAT Note: In the default configuration of the Traffic rules section, the Protocol inspector column is hidden. To show it, modify settings through the Modify columns dialog (see chapter 3.2). Warning To disable a protocol inspector, it is not sufficient to define a service that would not use the inspector! Protocol inspectors are applied to all traffic performed by corresponding protocols by default.

  • Page 102: Media Hairpinning

    Chapter 7 Traffic Policy Figure 7.39 Definition of a Full cone NAT traffic rule Source — IP address of an SIP telephone in the local network. Destination — name or IP address of an SIP server in the Internet. Full cone NAT will apply only to connection with this server.
  • Page 103 7.9 Media hairpinning Example: Two SIP telephones in the LAN Let us suppose two SIP telephones are located in the LAN. These telephones authenticate at a SIP server in the Internet. The parameters may be as follows: IP addresses of the phones: 192.168.1.100 and 192.168.1.101 Public IP address of the firewall: 195.192.33.1 SIP server: sip.server.com For the telephones, define corresponding traffic rules —...

  • Page 104: Configuration Of Network Services

    Chapter 8 Configuration of network services This chapter provides guidelines for setting of basic services in WinRoute helpful for easy configuration and smooth access to the Internet: DNS module — this service is used as a simple DNS server for the LAN, DHCP server —...
  • Page 105 8.1 DNS module The DNS module configuration By default, DNS server (the DNS forwarder service), cache (for faster responses to repeated requests) and simple DNS names resolver are enabled in WinRoute. The configuration can be fine-tuned in Configuration DNS. Figure 8.1 DNS settings Enable DNS forwarder This option enables DNS server in WinRoute.
  • Page 106 Chapter 8 Configuration of network services Note: Time period for keeping DNS logs in the cache is specified individually in each log (usually 24 hours). Use of DNS also speeds up activity of the WinRoute’s non-transparent proxy server (see chapter 8.4). Clear cache Clear-out of all records from the DNS cache (regardless of their lifetime).
  • Page 107 8.1 DNS module Figure 8.2 Editor of the Hosts system file Local DNS domain In the When resolving name from the ’hosts’ file or lease table combine it with DNS domain below entry, specify name of the local DNS domain. If a host or a network device sends a request for an IP address, it uses the name only (it has not found out the domain yet).
  • Page 108 Chapter 8 Configuration of network services Enable DNS forwarding The DNS module allows forwarding of certain DNS requests to specific DNS servers. This feature can be helpful for example when we intend to use a local DNS server for the local domain (the other DNS queries will be forwarded to the Internet directly —...
  • Page 109 8.1 DNS module queries concerning names and reversed queries are independent from each other. For better reference, it is recommended to start with all rules concerning queries for names and continue with all rules for reversed queries, or vice versa. Click on the Add or the Edit button to open a dialog where custom DNS forwarding rules can be defined.

  • Page 110: Dhcp Server

    Chapter 8 Configuration of network services Warning In rules for DNS requests, it is necessary to enter an expression matching the full DNS name! If, for example, the kerio.c * expression is introduced, only names kerio.cz, kerio.com etc. would match the rule and host names included in these domains (such as www.kerio.cz and secure.kerio.com) would not! Use the Reverse DNS query alternative to specify rule for DNS queries on IP addresses in a particular subnet.
  • Page 111 8.2 DHCP server DHCP Server Configuration To configure the DHCP server in WinRoute go to Configuration DHCP Server. Here you can define IP scopes, reservations or optional parameters, and view information about occupied IP addresses or statistics of the DHCP server. The DHCP server can be enabled/disabled using the DHCP Server enabled option (at the top).
  • Page 112 Chapter 8 Configuration of network services Figure 8.6 DHCP server — default DHCP parameters DNS server Any DNS server (or multiple DNS servers separated by semicolons) can be defined. We recommend you to use the WinRoute’s DNS module as the primary server (first in the list) —...
  • Page 113 8.2 DHCP server Figure 8.7 DHCP server — IP scopes definition First address, Last address First and last address of the new scope. Note: If possible, we recommend you to define the scope larger than it would be defined for the real number of users within the subnet. Subnet mask Mask of the appropriate subnet.
  • Page 114 Chapter 8 Configuration of network services Example In 192.168.1.0 subnet you intend to create two scopes: from 192.168.1.10 to 192.168.1.49 and from 192.168.1.61 to 192.168.1.100. Addresses from 192.168.1.50 to 192.168.1.60 will be left free and can be used for other purposes. Create the scope from 192.168.1.10 to 192.168.1.100 and click on the Exclusions but- ton to define the scope from 192.168.1.50 to 192.168.1.60.
  • Page 115 8.2 DHCP server Figure 8.9 DHCP server — DHCP settings To view configured DHCP parameters and their values within appropriate IP scopes see the right column in the Address Scope tab. Note: Simple DHCP server statistics are displayed at the right top of the Address Scope tab. Each scope is described with the following items: total number of addresses within this scope number and percentage proportion of leases...
  • Page 116 Chapter 8 Configuration of network services Figure 8.11 DHCP server — reserving an IP address hardware (MAC) address of the host — it is defined by hexadecimal numbers separated by colons, i.e. 00:bc:a5:f2:1e:50 or by dashes— for example: 00-bc-a5-f2-1e-50 The MAC address of a network adapter can be detected with operating system tools (i.e.
  • Page 117 8.2 DHCP server Figure 8.12 DHCP server — list of leased and reserved IP addresses MAC Address — hardware address of the host that the IP address is assigned to (in- cluding name of the network adapter manufacturer). Hostname — name of the host that the IP address is assigned to (only if the DHCP client at this host sends it to the DHCP server) Status —...
  • Page 118 Chapter 8 Configuration of network services the MAC address or name of the host that the address is currently assigned to. The Scopes tab with a dialog where the appropriate address can be leased will be opened automatically. All entries except for the Description item will be already defined with appropriate data. Define the Description entry and click on the OK button to assign a persistent lease for the IP address of the host to which it has been assigned dynamically.

  • Page 119: Dynamic Dns For Public Ip Address Of The Firewall

    8.3 Dynamic DNS for public IP address of the firewall Warning DHCP server cannot assign addresses to RAS clients connecting to the RAS server directly at the WinRoute host (for technical reasons, it is not possible to receive DHCP queries from the local RAS server). For such cases, it is necessary to set assigning of IP addresses in the RAS server configuration.
  • Page 120 Chapter 8 Configuration of network services free — user can choose from several second level domains (e.g. no-ip.org, etc.) select free host name domain (e.g. ddns.info, company.ddns.info). paid service — user registers their own domain (e.g. company.com) and the service provider then provides DNS server for this domain with the option of automatic up- date of records.

  • Page 121: Proxy Server

    8.4 Proxy server Figure 8.14 Setting cooperation with dynamic DNS server On the Dynamic DNS tab, select a DDNS provider, enter DNS name for which dynamic record will be kept updated and set user name and password for access to updates of the dynamic record.
  • Page 122 Chapter 8 Configuration of network services Proxy server can receive and process clients’ queries locally. The line will not be dialed if access to the requested page is forbidden. WinRoute is deployed within a network with many hosts where proxy server has been used. It would be too complex and time-consuming to re-configure all the hosts.
  • Page 123 8.4 Proxy server Enable non-transparent proxy server This option enables the HTTP proxy server in WinRoute on the port inserted in the Port entry (3128 port is set by the default). Warning If you use a port number that is already used by another service or application, WinRoute will accept this port, however, the proxy server will not be able to run and the following report will be logged into the Error log (refer to chapter 22.8): failed to bind to port 3128:...

  • Page 124: Http Cache

    Chapter 8 Configuration of network services where 192.168.1.1 is the IP address of the WinRoute host and number 3128 represents the port of the proxy server (see above). The Allow browsers to use configuration script automatically... option adjusts the config- uration script in accord with the current WinRoute configuration and the settings of the local network: Direct access —...
  • Page 125 8.5 HTTP cache Figure 8.16 HTTP cache configuration Enable cache on proxy server Enables the cache for HTTP traffic via WinRoute’s proxy server (see chapter 8.4). HTTP protocol TTL Default time of object validity within the cache. This time is used when: TTL of a particular object is not defined (to define TTL use the URL specific settings button —see below) TTL defined by the Web server is not accepted (the Use server supplied Time-To-...
  • Page 126 Chapter 8 Configuration of network services Warning Changes in this entry will not be accepted unless the WinRoute Firewall Engine is restarted. Old cache files in the original folder will be removed automatically. Cache size Size of the cache file on the disk. Maximal cache size allowed is 2 GB (2047 MB) Note: If 98 per cent of the cache is full, a so called cleaning will be run —...
  • Page 127 8.5 HTTP cache Warning Some web servers may attempt to bypass the cache by too short/long TTL. Ignore server Cache-Control directive — WinRoute will ignore directives for cache control of Web pages. Pages often include a directive that the page will not be saved into the cache. This directive page may be misused for example to bypass the cache.
  • Page 128 Chapter 8 Configuration of network services Rules within this dialog are ordered in a list where the rules are read one by one from the top downwards (use the arrow buttons on the right side of the window to reorder the rules). Description Text comment on the entry (informational purpose only) URL for which cache TTL will be specified.
  • Page 129 8.5 HTTP cache Figure 8.19 HTTP cache administration dialog Example Search for the * ker?o * string lists all objects with URL matching the specification, such as kerio, kerbo, etc. Each line with an object includes URL of the object, its size in bytes (B) and number of hours representing time left to the expiration.

  • Page 130: Bandwidth Limiter

    Chapter 9 Bandwidth Limiter The main problem of shared Internet connection is when one or more users download or upload big volume of data and occupy great part of the line connected to the Internet (so called bandwidth). The other users are ten limited by slower Internet connection or also may be affected by failures of certain services (e.g.
  • Page 131 9.2 Bandwidth Limiter configuration Figure 9.1 Bandwidth Limiter configuration The Bandwidth Limiter module enables to define reduction of speed of incoming traffic (i.e. from the Internet to the local network) and of outgoing data (i.e. from the local network to the Internet) for transmissions of big data volumes and for users with their quota exceeded.
  • Page 132 Chapter 9 Bandwidth Limiter services if too much big data volumes are transferred). If they are lower, full line capacity is often not employed. Warning For optimal configuration, it is necessary to operate with real capacity of the line. This value may differ from the information provided by ISP.
  • Page 133 9.2 Bandwidth Limiter configuration Figure 9.2 Bandwidth Limiter — network services Figure 9.3 Bandwidth Limiter — selection of network services IP Addresses and Time Interval It may be also helpful to apply bandwidth limiter only to certain hosts (for example, it may be undesired to limit a mailserver in the local network or communication with the corporate web server located in the Internet).
  • Page 134 Chapter 9 Bandwidth Limiter addresses across the local network and the Internet. Where user workstations use fixed IP addresses, it is also possible to apply this function to individual users. It is also possible to apply bandwidth limiter to a particular time interval (e.g. in work hours).

  • Page 135: Detection Of Connections With Large Data Volume Transferred

    9.3 Detection of connections with large data volume transferred cally. With exception of special conditions (testing purposes) it is highly recommended not to change the default values! Figure 9.5 Bandwidth Limiter — setting parameters for detection of large data volume transfers For detailed description of the detection of large data volume transmissions, refer to chapter 9.3.
  • Page 136 Chapter 9 Bandwidth Limiter Examples: The detection of connections transferring large data volumes will be better understood through the following examples. The default configuration of the detection is as follows: at least 200 KB of data must be transferred while there is no interruption for 5 sec or more. The connection at figure is considered as a transmission of large data volume after transfer of the third load of data.

  • Page 137: User Authentication

    Chapter 10 User Authentication WinRoute allows administrators to monitor connections (packet, connection, Web pages or FTP objects and command filtering) related to each user. The username in each filtering rule represents the IP address of the host(s) from which the user is connected (i.e. all hosts the user is currently connected from).
  • Page 138 Chapter 10 User Authentication Redirection — when accessing any website (unless access to this page is explicitly allowed to unauthenticated users — see chapter 12.2). Login by re-direction is performed in the following way: user enters URL pages that he/she intends to open in the browser. WinRoute detects whether the user has already authenticated.
  • Page 139 10.1 Firewall User Authentication Redirection to the authentication page If the Always require users to be authenticated when accessing web pages option is en- abled, user authentication will be required for access to any website (unless the user is already authenticated). The method of the authentication request depends on the method used by the particular browser to connect to the Internet: Direct access —...
  • Page 140 Chapter 10 User Authentication available for other operating systems. For details, refer to chapter 25.3. Automatically logout users when they are inactive Timeout is a time interval (in minutes) of allowed user inactivity. When this period ex- pires, the user is automatically logged out from the firewall. The default timeout value is 120 minutes (2 hours).

  • Page 141: Web Interface

    Chapter 11 Web Interface WinRoute includes a special web server which provides an interface where statistics can be viewed (Kerio StaR), as well as for setting of some user account parameters and for firewall administration via web browser (Web Administration). This Web server is available over SSL or using standard HTTP with no encryption (both versions include identical pages).
  • Page 142 Chapter 11 Web Interface Figure 11.1 Configuration of WinRoute’s Web Interface The name need not be necessarily identical with the host name, however, there must exist an appropriate entry in DNS for proper name resolution. The SSL certificate for the secure web interface (see below) should be also issued for the server (i.e.
  • Page 143 11.1 Web interface preferences Configuration of ports of the Web Interface Use the TCP ports section to set ports for unencrypted and encrypted versions of the Web interface (default ports are 4080 for the unencrypted and 4081 for the encrypted version of the Web interface).
  • Page 144 Chapter 11 Web Interface SSL Certificate for the Web Interface The principle of an encrypted WinRoute Web interface is based on the fact that all communi- cation between the client and server is encrypted to protect it from wiretapping and misuse of the transmitted data.
  • Page 145 11.1 Web interface preferences Figure 11.3 SSL certificate of WinRoute’s Web interface Figure 11.4 Creating a new “self-signed” certificate for WinRoute’s Web interface A new (self-signed) certificate is unique. It is created by your company, addressed to your company and based on the name of your server. Unlike the testing version of the certificate, this certificate ensures your clients security, as it is unique and the identity of your server is guaranteed by it.

  • Page 146: User Authentication At The Web Interface

    Chapter 11 Web Interface Verisign, Thawte, SecureSign, SecureNet, Microsoft Authenticode, etc.). To import a certificate, open the certificate file ( * .crt) and the file including the correspond- ing private key ( * .key). These files are stored in sslcert under the WinRoute’s installation directory.

  • Page 147: Http And Ftp Filtering

    Chapter 12 HTTP and FTP filtering WinRoute provides a wide range of features to filter traffic using HTTP and FTP protocols. These protocols are the most spread and the most used in the Internet. Here are the main purposes of HTTP and FTP content filtering: to block access to undesirable Web sites (i.e.

  • Page 148: Url Rules

    Chapter 12 HTTP and FTP filtering An appropriate protocol inspector is activated automatically unless its use is denied by traffic rules. For details, refer to chapter 7.3. Connections must not be encrypted. SSL encrypted traffic (HTTPS and FTPS protocols) cannot be monitored. In this case you can block access to certain servers using traffic rules (see chapter 7.3).
  • Page 149 12.2 URL Rules access to other web pages, a rule denying access to any URL must be placed at the end of the rule list. The following items (columns) can be available in the URL Rules tab: Description — description of a particular rule (for reference only). You can use the checking box next to the description to enable/disable the rule (for example, for a cer- tain time).
  • Page 150 Chapter 12 HTTP and FTP filtering Figure 12.2 URL Rule — basic parameters for example a rule allowing access to certain pages without authentication can be defined. Unless authentication is required, the do not require authentication option is ineffective. selected user(s) — applied on selected users or/and user groups. Click on the Set button to select users or groups (hold the Ctrl and the Shift keys to select more that one user /group at once).
  • Page 151 12.2 URL Rules (wildcard matching) to substitute any number of characters (i.e. * .kerio.com * ) Server names represent any URL at a corresponding server (www.kerio.com/ * ). is in URL group — selection of a URL group (refer to chapter 14.4) which the URL should match with is rated by Kerio Web Filter rating system —...
  • Page 152 Chapter 12 HTTP and FTP filtering Figure 12.3 URL Rule — advanced parameters Denial options Advanced options for denied pages. Whenever a user attempts to open a page that is denied by the rule, WinRoute will display: A page informing the user that access to the required page is denied as it is blocked by the firewall.
  • Page 153 12.2 URL Rules another page (see below). A blank page — user will not be informed why access to the required page was denied. Another page — user’s browser will be redirected to the specified URL. This op- tion can be helpful for example to define a custom page with a warning that access to the particular page is denied.

  • Page 154: Content Rating System (Kerio Web Filter)

    Chapter 12 HTTP and FTP filtering HTTP Inspection Advanced Options Click on the Advanced button in the HTTP Policy tab to open a dialog where parameters for the HTTP inspection module can be set. Figure 12.5 HTTP protocol inspector settings Use the Enable HTTP Log and Enable Web Log options to enable/disable logging of HTTP queries (opened web pages) to the HTTP log (see chapter 22.10) and to the Web log (refer to chapter 22.14).
  • Page 155 12.3 Content Rating System (Kerio Web Filter) According to the classification of the page the user will be either allowed or denied to access the page. To speed up URL rating the data that have been once acquired can be stored in the cache and kept for a certain period.
  • Page 156 Chapter 12 HTTP and FTP filtering Categorize each page regardless of HTTP rules If this option is enabled, Kerio Web Filter categorization will be applied to any web pages (i.e. to all HTTP requests processed by the HTTP protocol inspector). Categorization of all pages is necessary for statistics of the categories of visited web pages (see chapter 21).
  • Page 157 12.3 Content Rating System (Kerio Web Filter) Figure 12.7 Kerio Web Filter rule...

  • Page 158: Web Content Filtering By Word Occurrence

    Chapter 12 HTTP and FTP filtering Figure 12.8 Selection of Kerio Web Filter categories Note: You can define multiple URL rules that will use the Kerio Web Filter rating technology. Multiple categories may be used for each rule. We recommend you to unlock rules that use the Kerio Web Filter rating system (the Users can Unlock this rule option in the Advanced tab).
  • Page 159 12.4 Web content filtering by word occurrence So called forbidden words are used to filter out web pages containing undesirable words. URL rules (see chapter 12.2) define how pages including forbidden content will be handled. Warning Definition of forbidden words and threshold value is ineffective unless corresponding URL rules are set! Definition of rules filtering by word occurrence First, suppose that some forbidden words have been already defined and a threshold value...
  • Page 160 Chapter 12 HTTP and FTP filtering On the Content Rules tab, check the Deny Web pages containing... option to enable filtering by word occurrence. Figure 12.10 A rule filtering web pages by word occurrence (word filtering) Word groups To define word groups go to the Word Groups tab in Configuration Content Filtering HTTP Policy, the Forbidden Words tab.
  • Page 161 12.4 Web content filtering by word occurrence Individual groups and words included in them are displayed in form of trees. To enable filtering of particular words use checkboxes located next to them. Unchecked words will be ignored. Due to this function it is not necessary to remove rules and define them again later. Note: The following word groups are predefined in the default WinRoute installation: Pornography —...

  • Page 162: Ftp Policy

    Chapter 12 HTTP and FTP filtering Weight Word weight the level of how the word affects possible blocking or allowing of access to websites. The weight should respect frequency of the particular word in the language (the more common word, the lower weight) so that legitimate webpages are not blocked. Description A comment on the word or group.
  • Page 163 12.5 FTP Policy FTP Rules Definition To create a new rule, select a rule after which the new rule will be added, and click Add. You can later use the arrow buttons to reorder the rule list. Checking the box next to the rule can be used to disable the rule. Rules can be disabled temporarily so that it is not necessary to remove rules and create identical ones later.
  • Page 164 Chapter 12 HTTP and FTP filtering Open the General tab to set general rules and actions to be taken. Description Description of the rule (information for the administrator). If user accessing the FTP server is Select which users this rule will be applied on: any user —...
  • Page 165 12.5 FTP Policy Figure 12.15 FTP Rule — advanced settings Valid at time interval Selection of the time interval during which the rule will be valid (apart from this inter- val the rule will be ignored). Use the Edit button to edit time intervals (for details see chapter 14.2).
  • Page 166 Chapter 12 HTTP and FTP filtering Scan content for viruses according to scanning rules Use this option to enable/disable scanning for viruses for FTP traffic which meet this rule. This option is available only for allowing rules — it is meaningless to apply antivirus check to denied traffic.

  • Page 167: Antivirus Control

    Chapter 13 Antivirus control WinRoute provides antivirus check of objects (files) transmitted by HTTP, FTP, SMTP and POP3 protocols. In case of HTTP and FTP protocols, the WinRoute administrator can specify which types of objects will be scanned. WinRoute is also distributed in a special version which includes integrated McAfee antivirus. Besides the integrated module, WinRoute also supports many external antiviruses of third parties.

  • Page 168: How To Choose And Setup Antiviruses

    Chapter 13 Antivirus control For details, see chapter 13.4. Object transferred by other than HTTP, FTP, SMTP and POP3 protocols cannot be checked by an antivirus. If a substandard port is used for the traffic, corresponding protocol inspector will not be applied automatically.
  • Page 169 13.2 How to choose and setup antiviruses Figure 13.2 Antivirus selection (integrated antivirus) Figure 13.3 Scheduling McAfee updates Check for update every ... hours Time interval of checks for new updates of the virus database and the antivirus engine (in hours). If any new update is available, it will be downloaded automatically by WinRoute.
  • Page 170 Chapter 13 Antivirus control Last update check performed ... ago Time that has passed since the last update check. Virus database version Database version that is currently used. Scanning engine version McAfee scanning engine version used by WinRoute. Update now Use this button for immediate update of the virus database and of the scanning engine.
  • Page 171 13.2 How to choose and setup antiviruses Use the Options button to set advanced parameters for the selected antivirus. Dialogs for in- dividual antiviruses differ (some antivirus programs may not require any additional settings). For detailed information on installation and configuration of individual antivirus programs, refer to http://www.kerio.com/firewall/third-party.

  • Page 172: Http And Ftp Scanning

    Chapter 13 Antivirus control network send their email via an SMTP server located in the Internet. Checking of outgoing SMTP traffic is not apt for local SMTP servers sending email to the Internet. An example of a traffic rule for checking of outgoing SMTP traffic is shown at figure 13.6. Figure 13.6 An example of a traffic rule for outgoing SMTP traffic check Substandard extensions of the SMTP protocol can be used in case of communication of two Microsoft Exchange mailservers.
  • Page 173 13.3 HTTP and FTP scanning To set parameters of HTTP and FTP antivirus check, open the HTTP, FTP scanning tab in Configuration Content Filtering Antivirus. Figure 13.7 Settings for HTTP and FTP scanning Use the If a virus is found... entry to specify actions to be taken whenever a virus is detected in a transmitted file: Move the file to quarantine —...
  • Page 174 Chapter 13 Antivirus control Warning When handling files in the quarantine directory, please consider carefully each action you take, otherwise a virus might be activated and the WinRoute host could be attacked by the virus! Alert the client — WinRoute alerts the user who attempted to download the file by an email message warning that a virus was detected and download was stopped for security reasons.
  • Page 175 13.3 HTTP and FTP scanning Figure 13.8 Definition of an HTTP/FTP scanning rule Description Description of the rule (for reference of the WinRoute administrator only) Condition Condition of the rule: HTTP/FTP filename — this option filters out certain filenames (not entire URLs) transmitted by FTP or HTTP (e.g.

  • Page 176: Email Scanning

    Chapter 13 Antivirus control If the object does not match with any rule, it will be scanned automatically. If only selected object types are to be scanned, a rule disabling scanning of any URL or MIME type must be added to the end of the list (the Skip all other files rule is predefined for this purpose). 13.4 Email scanning SMTP and POP3 protocols scanning settings are defined through this tab.
  • Page 177 13.4 Email scanning Figure 13.9 Settings for SMTP and POP3 scanning The quarantine subdirectory under the WinRoute directory is used for the quarantine (the typical path is C:\Program Files\Kerio\WinRoute Firewall\quarantine) Messages with untrustworthy attachments are saved to this directory under names which are generated automatically by WinRoute.

  • Page 178: Scanning Of Files Transferred Via Clientless Ssl-Vpn (Windows)

    Chapter 13 Antivirus control Enable TLS. This alternative is suitable for such cases where protection from wiretap- ping is prior to antivirus check of email. Hint In such cases, it is recommended to install an antivirus engine at individual hosts that would perform local antivirus check.
  • Page 179 13.5 Scanning of files transferred via Clientless SSL-VPN (Windows) Transfer directions Use the top section of the SSL-VPN Scanning tab to set to which transfer direction the antivirus check will be applied. By default, only files downloaded from a remote client to a local host are scanned to avoid slowdown (local network is treated as trustworthy).

  • Page 180: Definitions

    Chapter 14 Definitions 14.1 IP Address Groups IP groups are used for simple access to certain services (e.g. WinRoute’s remote administration, Web server located in the local network available from the Internet, etc.). When setting access rights a group name is used. The group itself can contain any combination of computers (IP addresses), IP address ranges, subnets or other groups.

  • Page 181: Time Ranges

    14.2 Time Ranges Figure 14.2 IP group definition Type Type of the new item: Host (IP address or DNS name of a particular host), Network / Mask (subnet with a corresponding mask), IP range (an interval of IP addresses defined by starting and end IP address in- cluding the both limit values), Address group (another group of IP addresses —...
  • Page 182 Chapter 14 Definitions Figure 14.3 WinRoute’s time intervals Time range types When defining a time interval three types of time ranges (subintervals) can be used: Absolute The time interval is defined with the initial and expiration date and it is not repeated Weekly This interval is repeated weekly (according to the day schedule) Daily...

  • Page 183: Services

    14.3 Services Figure 14.4 Time range definition Valid on Defines days when the interval will be valid. You can either select particular weekdays (Selected days) or use one of the predefined options (All Days, Weekday — from Monday to Friday, Weekend — Saturday and Sunday). Note: each time range must contain at least one item.
  • Page 184 Chapter 14 Definitions Figure 14.5 WinRoute’s network services Clicking on the Add or the Edit button will open a dialog for service definition. Figure 14.6 Network service definition Name Service identification within WinRoute. It is strongly recommended to use a concise name to keep the program easy to follow.
  • Page 185 14.3 Services Description Comments for the service defined. It is strongly recommended describing each definition, especially with non-standard services so that there will be minimum confusion when referring to the service at a later time. Protocol The communication protocol used by the service. Most standard services uses the TCP or the UDP protocol, or both when they can be defined as one service with the TCP/UDP option.
  • Page 186 Chapter 14 Definitions Figure 14.8 Service definition — source and destination port setting Protocol Inspectors WinRoute includes special subroutines that monitor all traffic using application protocols, such as HTTP, FTP or others. The modules can be used to modify (filter) the communication or adapt the firewall’s behavior according to the protocol type.

  • Page 187: Url Groups

    14.4 URL Groups Note: Generally, protocol inspectors cannot be applied to secured traffic (SSL/TLS). In this case, WinRoute “perceives” the traffic as binary data only. This implies that such traffic cannot be deciphered. Under certain circumstances, appliance of a protocol inspector is not desirable. There- fore, it is possible to disable a corresponding inspector temporarily.
  • Page 188 Chapter 14 Definitions Matching fields next to each item of the group can be either checked to activate or unchecked to disable the item. This way you can deactivate items with no need to remove them and to define them again. Click on the Add button to display a dialog where a new group can be created or a new item can be added to existing groups.
  • Page 189 14.4 URL Groups Description The item’s description (comments and notes for the administrator).

  • Page 190: User Accounts And Groups

    Chapter 15 User Accounts and Groups User accounts in WinRoute improve control of user access to the Internet from the local net- work. User accounts can be also used to access the WinRoute administration using the Admin- istration Console or the Web Administration interface. WinRoute supports several methods of user accounts and groups saving, combining them with various types of authentication, as follows: Internal user database...

  • Page 191: Viewing And Definitions Of User Accounts

    15.1 Viewing and definitions of user accounts Transparent cooperation with Active Directory (Active Directory mapping) WinRoute can use accounts and groups stored in Active Directory directly — no import to the local database is performed. Specific WinRoute parameters are added by the template of the corresponding account.
  • Page 192 Chapter 15 User Accounts and Groups The searching is helpful especially when the domain includes too many accounts which might make it difficult to look up particular items. Hiding / showing disabled accounts It is possible to disable accounts in WinRoute. Check the Hide disabled user accounts to show only active (enabled) accounts.

  • Page 193: Local User Accounts

    15.2 Local user accounts Note: It is also possible to select more than one account by using the Ctrl and Shift keys to perform mass changes of parameters for all selected accounts. In mapped Active Directory domains, it is not allowed to create or/and remove user accounts. These actions must be performed in the Active Directory database on the relevant domain server.
  • Page 194 Chapter 15 User Accounts and Groups Figure 15.2 Local user accounts in WinRoute Step 1 — basic information Figure 15.3 Creating a user account — basic parameters Name Username used for login to the account.
  • Page 195 15.2 Local user accounts Warning The user name is not case-sensitive. We recommend not to use special characters (non- English languages) which might cause problems when authenticating at the firewall’s web interfaces. Full name A full name of the user (usually first name and surname). Description User description (e.g.
  • Page 196 Chapter 15 User Accounts and Groups Warning Passwords may contain printable symbols only (letters, numbers, punctuation marks). Password is case-sensitive. We recommend not to use special characters (non-English languages) which might cause problems when authenticating via the Web interface. NTLM authentication cannot be used for automatic authentication method by NTLM (refer to chapter 25.3)..
  • Page 197 15.2 Local user accounts Step 3 — access rights Figure 15.5 Creating a new user account — user rights Each user must be assigned one of the following three levels of access rights. No access to administration The user has no rights to access the WinRoute administration. This setting is commonly used for the majority of users.
  • Page 198 Chapter 15 User Accounts and Groups is displayed. The unlock feature must also be enabled in the corresponding URL rule (for details, refer to chapter 12.2). User can dial RAS connection If the Internet connection uses dial-up lines, users with this right will be allowed to dial and hang up these lines in the Web interface (see chapter 11).
  • Page 199 15.2 Local user accounts Figure 15.6 Creating a new user account — data transmission quota make such users to reduce their network activities). For detailed information, see chapter 9. Check the Notify user by email when quota is exceeded option to enable sending of warn- ing messages to the user in case that a quota is exceeded.
  • Page 200 Chapter 15 User Accounts and Groups Don’t block further traffic mode resetting of the data volume counter of the user (see chapter 20.1). Actions for quota-exceeding are not applied if the user is authenticated at the firewall. This would block all firewall traffic as well as all local users. However, transferred data is included in the quota! Hint Data transfer quota and actions applied in response can also be set by a user account template.
  • Page 201 15.2 Local user accounts Pop-up windows Automatic opening of new browser windows — usually pop-up windows with advertise- ments. This option will allow / block the window.open() method in JavaScript. <Applet> HTML tags Applets in Java. Cross-domain referers This option allows / blocks the Referer item included in an HTTP header. The Referer item includes pages that have been viewed prior to the current page.
  • Page 202 Chapter 15 User Accounts and Groups Figure 15.8 Creating a new user account — IP addresses for VPN client and automatic logins Automatic login can be set for the firewall (i.e. for the WinRoute host) or/and for any other host(s) (i.e. when the user connects also from an additional workstation, such as notebooks, etc.).

  • Page 203: Local User Database: External Authentication And Import Of Accounts

    15.3 Local user database: external authentication and import of accounts 15.3 Local user database: external authentication and import of accounts User in the local database can be authenticated either at the Active Directory domain or at the Windows NT domain (see chapter 15.2, step one). To apply these authentication methods, the WinRoute host must belong to the corresponding domain.

  • Page 204: User Accounts In Active Directory - Domain Mapping

    Chapter 15 User Accounts and Groups Figure 15.9 Import of accounts from Active Directory Figure 15.10 Importing accounts from the Windows NT domain 15.4 User accounts in Active Directory — domain mapping In WinRoute, it is possible to directly use user accounts from one or more Active Directory domain(s).
  • Page 205 15.4 User accounts in Active Directory — domain mapping Directory and forward them to the corresponding domain server. If another DNS server is used, user authentication in the Active Directory may not work correctly. For mapping of multiple domains: The WinRoute host must be a member of one of the mapped domains. This domain will be set as primary.
  • Page 206 Chapter 15 User Accounts and Groups The first page of the wizard requires the full name of the Active Directory domain (e.g. company.com) and name and password of a user with rights to add hosts to domains. If WinRoute cannot find the domain server of the specified domain automatically, it requires specification of its IP address in the next step.
  • Page 207 15.4 User accounts in Active Directory — domain mapping Figure 15.13 Advanced options for cooperation with the Active Directory. If WinRoute is installed on Windows, it is possible to allow authentication compatible with older systems (i.e. authentication via the Windows NT domain). This option is required if the domain server uses Windows NT or if any of the clients in the local network uses Windows of older edition than Windows 2000.
  • Page 208 Chapter 15 User Accounts and Groups Secured connection to the domain server For higher security (to prevent from tapping of traffic and exploiting user passwords), connection to the Active Directory can be encrypted. Enabling of encrypted connection requires corresponding settings on the particular domain server (or on all servers of the particular domain if automatic detection is used).
  • Page 209 15.4 User accounts in Active Directory — domain mapping Use buttons Add or Edit to open a dialog for a new domain definition and enter parameters of the mapped domain. For details, see above (Primary domain mapping and Advanced options). Collision of Active Directory with the local database and conversion of accounts During Active Directory domain mapping, collision with the local user database may occur if a user account with an identical name exists both in the domain and in the local database.

  • Page 210: User Groups

    Chapter 15 User Accounts and Groups 15.5 User groups User accounts can be sorted into groups. Creating user groups provides the following benefits: Specific access rights can be assigned to a group of users. These rights complement rights of individual users. Each group can be used when traffic and access rules are defined.
  • Page 211 15.5 User groups The searching is helpful especially when the domain includes too many groups which might make it difficult to look up particular items. Creating a new local user group In the Domain combo box in Groups, select Local User Database. Click Add to start a wizard where a new user group can be created.
  • Page 212 Chapter 15 User Accounts and Groups Using the Add and Remove buttons you can add or remove users to/from the group. If user accounts have not been created yet, the group can be left empty and users can be added during the account definition (see chapter 15.1).
  • Page 213 15.5 User groups Additional rights: Users can override WWW content rules User belonging to the group can customize personal web content filtering settings (see chapter 15.2). User can unlock URL rules This option allows its members one-shot bypassing of denial rules for blocked websites (if allowed by the corresponding URL rule —...

  • Page 214: Administrative Settings

    Chapter 16 Administrative settings 16.1 System configuration (Software Appliance / VMware Virtual Appli- ance) In the Software Appliance / VMware Virtual Appliance edition, the WinRoute administration console allows setting of a few basic parameters of the firewall’s operating system. These settings are necessary for correct functionality of the firewall and they can be found in Con- figuration / Advanced options, on the System Configuration tab.

  • Page 215: Setting Remote Administration

    16.2 Setting Remote Administration firewall’s system time. The time zone also includes information about daylight saving time settings. Kerio Technologies offers following free servers this purpose: 0.kerio.pool.ntp.org, 1.kerio.pool.ntp.org, 2.kerio.pool.ntp.org 3.kerio.pool.ntp.org. 16.2 Setting Remote Administration Remote administration is connection to the firewall, its monitoring and configuration changes with the Administration Console or with the Web Administration interface from another host that the one on which WinRoute is installed.

  • Page 216: Update Checking

    Chapter 16 Administrative settings Hint In WinRoute, you can use a similar method to allow or block remote administration of Kerio MailServer — for connection via the Administration Console, use the predefined service KMS Admin, for the Web Administration use HTTPS. Note: Be very careful while defining traffic rules, otherwise you could block remote administra- tion from the host you are currently working on.
  • Page 217 16.3 Update Checking 2 minutes after each startup of the WinRoute Firewall Engine, and then every 24 hours. Results of each attempted update check (successful or not) is logged into the Debug log (see chapter 22.6). Check also for beta versions Enable this option if you want WinRoute to perform also update checks for beta versions.

  • Page 218: Advanced Security Features

    Chapter 17 Advanced security features 17.1 P2P Eliminator Peer-to-Peer (P2P) networks are world-wide distributed systems, where each node can repre- sent both a client and a server. These networks are used for sharing of big volumes of data (this sharing is mostly illegal). DirectConnect and Kazaa are the most popular ones. In addition to illegal data distribution, utilization of P2P networks overload lines via which users are connected to the Internet.
  • Page 219 17.1 P2P Eliminator Figure 17.1 Detection settings and P2P Eliminator allowance of only certain services and length of the period for which restrictions will be ap- plied). The email is sent only if a valid email address (see chapter 15.1) is specified in the particular user account.
  • Page 220 Chapter 17 Advanced security features Note: If a user who is allowed to use P2P networks (see chapter 15.1) is connected to the fire- wall from a certain host, no P2P restrictions are applied to this host. Settings in the P2P Eliminator tab are always applied to unauthorized users.

  • Page 221: Special Security Settings

    17.2 Special Security Settings Number of suspicious connections Big volume of connections established from the client host is a typical feature of P2P networks (usually one connection for each file). The Number of connections value defines maximal number of client’s network connections that must be reached to consider the traffic as suspicious.
  • Page 222 Chapter 17 Advanced security features Figure 17.4 Security options — Anti-Spoofing and cutting down number of connections for one host Anti-Spoofing Anti-Spoofing checks whether only packets with allowed source IP addresses are received at individual interfaces of the WinRoute host. This function protects WinRoute host from attacks from the internal network that use false IP addresses (so called spoofing).
  • Page 223 17.2 Special Security Settings These restrictions protects firewall (WinRoute host) from overload and may also help protect it from attacks to the target server, reduce activity and impact of a worm or Trojan horse. Count limit for outgoing connections is useful for example when a local client host is at- tacked by a worm or Trojan horse which attempts to establish connections to larger number of various servers.

  • Page 224: Other Settings

    Chapter 18 Other settings 18.1 Routing table Using Administration Console you can view or edit the system routing table of the host where WinRoute is running. This can be useful especially to resolve routing problems remotely (it is not necessary to use applications for terminal access, remote desktop, etc.). To view or modify the routing table go to Configuration Routing Table.
  • Page 225 18.1 Routing table Note: Changes in the routing table might interrupt the connection between the WinRoute Fire- wall Engine and the Administration Console. We recommend to check the routing table thor- oughly before clicking the Apply button! Route Types The following route types are used in the WinRoute routing table: System routes —...
  • Page 226 Chapter 18 Other settings Figure 18.2 Adding a route to the routing table Network, Network Mask IP address and mask of the destination network. Interface Selection of an interface through which the specific packet should be forwarded. Gateway IP address of the gateway (router) which can route to the destination network. The IP address of the gateway must be in the same IP subnet as the selected interface.

  • Page 227: Universal Plug-And-Play (Upnp)

    18.2 Universal Plug-and-Play (UPnP) Removing routes from the Routing Table Using the Remove button in the WinRoute admin console, records can be removed from the routing table. The following rules are used for route removal: Static routes in the Static Routes folder are managed by WinRoute. Removal of any of the static routes would remove the route from the system routing table immediately and permanently (after clicking on the Apply button).
  • Page 228 Chapter 18 Other settings Enable UPnP This option enables UPnP. Warning If WinRoute is running on Windows XP, Windows Server 2003, Windows Vista or Windows Server 2008, check that the following system services are not running before you start the UPnP function: SSDP Discovery Service Universal Plug and Play Device Host If any of these services is running, close it and deny its automatic startup.

  • Page 229: Relay Smtp Server

    18.3 Relay SMTP server 18.3 Relay SMTP server WinRoute provides a function which enables notification to users or/and administrators by email alerts. These alert messages can be sent upon various events, for example when a virus is detected (see chapter 13.3), when a Peer-to-Peer network is detected (refer to chapter 17.1), when an alert function is set for certain events (details in chapter 15.1) or upon reception of an alert (see chapter 19.4).
  • Page 230 Chapter 18 Other settings be used for reference in recipient’s mail client or for email classification. This is why it is always recommended to specify sender’s email address in WinRoute. Connection test Click Test to test functionality of sending of email via the specified SMTP server. WinRoute sends a testing email message to the specified email address.

  • Page 231: Status Information

    Chapter 19 Status Information WinRoute activities can be well monitored by the administrator (or by other users with ap- propriate rights). There are three types of information — status monitoring, statistics and logs. Communication of each computer, users connected or all connections using WinRoute can be monitored.
  • Page 232 Chapter 19 Status Information Figure 19.1 List of active hosts and users connected to the firewall User Name of the user which is connected from a particular host. If no user is connected, the item is empty. Currently Rx, Currently Tx Monitors current traffic speed (kilobytes per second) in both directions (from and to the host —...
  • Page 233 19.1 Active hosts and connected users Connections Total number of connections to and from the host. Details can be displayed in the context menu (see below) Authentication method Authentication method used for the recent user connection: plaintext — user is connected through an insecure login site plaintext SSL —...
  • Page 234 Chapter 19 Status Information User quota Use this option to show quota of the particular user (Administration Console switches to the User quota tab in Status Statistics and selects the particular user automatically). The User quota option is available in the context menu only for hosts from which a user is connected to the firewall.
  • Page 235 19.1 Active hosts and connected users Login information Information on logged-in users: User — name of a user, DNS name (if available) and IP address of the host from which the user is connected Login time — date and time when a user logged-in, authentication method that was used and inactivity time (idle).
  • Page 236 Chapter 19 Status Information FTP — DNS name or IP address of the server, size of downloaded/saved data, information on currently downloaded/saved file (name of the file including the path, size of data downloaded/uploaded from/to this file). Multimedia (real time transmission of video and audio data) — DNS name or IP address of the server, type of used protocol (MMS, RTSP, RealAudio, etc.) and volume of downloaded data.
  • Page 237 19.1 Active hosts and connected users The following columns are hidden by default. They can be shown through the Modify columns dialog opened from the context menu (for details, see chapter 3.2). Source port, Destination port Source and destination port (only for TCP and UDP protocols). Protocol Protocol used for the transmission (TCP, UDP, etc.).

  • Page 238: Network Connections Overview

    Chapter 19 Status Information Figure 19.6 Information on selected host and user — traffic histogram Select an item from the Time interval combo box to specify a time period which the chart will refer to (2 hours or 1 day). The x axis of the chart represents time and the y axis represents traffic speed.
  • Page 239 19.2 Network connections overview connections from other hosts to services provided by the host with WinRoute connections performed by clients within the Internet that are mapped to services run- ning in LAN WinRoute administrators are allowed to close any of the active connections. Note: Connections among local clients will not be detected nor displayed by WinRoute.
  • Page 240 Chapter 19 Status Information Source, Destination IP address of the source (the connection initiator) and of the destination. If there is an appropriate reverse record in DNS, the IP address will be substituted with the DNS name. The following columns are hidden by default. They can be enabled through the Modify columns dialog opened from the context menu (for details, see chapter 3.2).
  • Page 241 19.2 Network connections overview Figure 19.8 Context menu for Connections Refresh This option will refresh the information in the Connections window immediately. This function is equal to the function of the Refresh button at the bottom of the window. Auto refresh Settings for automatic refreshing of the information in the Connections window.

  • Page 242: List Of Connected Vpn Clients

    Chapter 19 Status Information For each item either a color or the Default option can be chosen. Default colors are set in the operating system (the common setting for default colors is black font and white background). Font Color Active connections — connections with currently active data traffic Inactive connections —...

  • Page 243: Alerts

    19.4 Alerts IP address — public IP address of the host which the client connects from (see the Hostname column above). Client status — connecting, authenticating (WinRoute verifies username and password), authenticated (username and password correct, client configuration in progress), con- nected (the configuration has been completed, the client can now communicate with hosts within the local network).
  • Page 244 Chapter 19 Status Information Figure 19.12 Alert Definitions alert Type of the event upon which the alert will be sent: Virus detected — antivirus engine has detected a virus in a file transmitted by HTTP, FTP, SMTP or POP3 (refer to chapter 13). Portscan detected —...
  • Page 245 19.4 Alerts cense/subscription (or license of any module integrated in WinRoute, such as Kerio Web Filter, the McAfee antivirus, etc.) is getting closer. The WinRoute admin- istrator should check the expiration dates and prolong a corresponding license or subscription (for details, refer to chapter 4). Dial / Hang-up of RAS line WinRoute is dialing or hanging-up a RAS line (see chapter 5).
  • Page 246 Chapter 19 Status Information In the Administration Console, alerts are displayed in the language currently set as preferred (see Kerio Administration Console — Help). If alert templates in the language are not available, English version is used instead. Email and SMS alerts are always in English. Note: In the current WinRoute version, alerts are available only in English and Czech.
  • Page 247 19.4 Alerts Figure 19.14 Details of a selected event...

  • Page 248: Basic Statistics

    Chapter 20 Basic statistics Statistical information about users (volume of transmitted data, used services, categorization of web pages) as well as of network interfaces of the WinRoute host (volume of transmitted data, load on individual lines) can be viewed in WinRoute. In the Administration Console, it is possible to view basic quota information for individual users (volume of transferred data and quota usage information) and statistics of network interfaces (transferred data, traffic charts).
  • Page 249 20.1 Volume of transferred data and quota usage Figure 20.1 User statistics is related to the user (the IN direction stands for data received by the user, while OUT represents data sent by the user). Hiding/showing of columns is addressed in chapter 3.2. Information of volume of data transferred by individual users is saved in the stats.cfg file in the WinRoute directory.

  • Page 250: Interface Statistics

    Chapter 20 Basic statistics Warning Be aware that using this option for the all users item resets counters of all users, including unrecognized ones! Note: Values of volumes of transferred data are also used to check user traffic quota (see chapter 15.1).
  • Page 251 20.2 Interface statistics Figure 20.3 Firewall’s interface statistics Example The WinRoute host connects to the Internet through the Public interface and the local network is connected to the LAN interface. A local user downloads 10 MB of data from the Internet. This data will be counted as follows: IN at the Public interface is counted as an IN item (data from the Internet was received through this interface),...
  • Page 252 Chapter 20 Basic statistics Refresh This option will refresh the information on the Interface Statistics tab immediately. This function is equal to the function of the Refresh button at the bottom of the window. Auto refresh Settings for automatic refreshing of the information on the Interface Statistics tab. Infor- mation can be refreshed in the interval from 5 seconds up to 1 minute or the auto refresh function can be switched off...
  • Page 253 20.2 Interface statistics The period (2 hours or 1 day) can be selected in the Time interval box. The selected time range is always understood as the time until now (“last 2 hours” or “last 24 hours”). The x axis of the chart represents time and the y axis represents traffic speed. The x axis is measured accordingly to a selected time period, while measurement of the y axis depends on the maximal value of the time interval and is set automatically (bytes per second is the basic measure unit —...

  • Page 254: Kerio Star - Statistics And Reporting

    Chapter 21 Kerio StaR - statistics and reporting The WinRoute’s web interface provides detailed statistics on users, volume of transferred data, visited websites and web categories. This information may help figure out browsing activities and habits of individual users. The statistics monitor the traffic between the local network and the Internet. Volumes of data transferred between local hosts and visited web pages located on local servers are not included in the statistics (also for technical reasons).
  • Page 255 21.1 Monitoring and storage of statistic data is represented by several files on the disk. This implies that any data is kept in the cache even if the WinRoute Firewall Engine is stopped or another problem occurs (failure of power supply, etc.) though not having been stored in the database yet.

  • Page 256: Settings For Statistics And Quota

    Chapter 21 Kerio StaR - statistics and reporting The following example addresses case of a mapped web server accessible from the Internet. Any (anonymous) user in the Internet can connect to the server. However, web servers are usually located on a special machine which is not used by any user. Therefore, all traffic of this server will be accounted for users who are “not logged in”.
  • Page 257 21.2 Settings for statistics and quota Enable/disable gathering of statistic data The Gather Internet Usage statistics option enables/disables all statistics (i.e. stops gath- ering of data for statistics). The Monitor user browsing behavior option enables monitoring and logging of browsing activity of individual users.
  • Page 258 Chapter 21 Kerio StaR - statistics and reporting Statistics and quota exceptions On the Exceptions tab, it is possible to define exceptions for statistics and for transferred data quota. This feature helps avoid gathering of irrelevant information. Thus, statistics are kept trans- parent and gathering and storage of needless data is avoided.

  • Page 259: Connection To Star And Viewing Statistics

    21.3 Connection to StaR and viewing statistics For details on IP groups, see chapter 14.1. Users and groups Select users and/or user groups which will be excluded from the statistics and no quota will be applied to them. This setting has the highest priority and overrules any other quota settings in user or group preferences.
  • Page 260 Chapter 21 Kerio StaR - statistics and reporting Note: Within local systems, secured traffic would be useless and the browser would bother user with needless alerts. Remote access to the statistics It is also possible to access the statistics remotely, i.e. from any host which is allowed to connect to the WinRoute host and the web interface’s ports, by using the following methods: If the host is connected to WinRoute by the Administration Console, the Internet Usage Statistics link available under Status...
  • Page 261 21.3 Connection to StaR and viewing statistics Updating data in StaR First of all, the StaR interface is used for gathering of statistics and creating of reviews for cer- tain periods. To WinRoute, gathering and evaluation of information for StaR means processing of large data volumes.

  • Page 262: Logs

    Chapter 22 Logs Logs are files where history of certain events performed through or detected by WinRoute are recorded and kept. Each log is displayed in a window in the Logs section. Each event is represented by one record line. Each line starts with a time mark in brackets (date and time when the event took place, in seconds).
  • Page 263 22.1 Log settings Figure 22.1 Log settings File Logging Use the File Loggingtab to define file name and rotation parameters. Enable logging to file Use this option to enable/disable logging to file according to the File name entry (the .log extension will be appended automatically). If this option is disabled, none of the following parameters and settings will be available.
  • Page 264 Chapter 22 Logs Figure 22.2 File logging settings ter 21.2). Rotation follows the rules described above. Syslog Logging Parameters for logging to a Syslog can be defined in the External Logging tab. Figure 22.3 Syslog settings...

  • Page 265: Logs Context Menu

    22.2 Logs Context Menu Enable Syslog logging Enable/disable logging to a Syslog server. If this option is disabled, none of the following parameters and settings will be available. Syslog server DNS name or IP address of the Syslog server. Facility Facility that will be used for the particular WinRoute log (depends on the Syslog server).
  • Page 266 Chapter 22 Logs The Save log option opens a dialog box where the following optional parameters can be set: Figure 22.5 Saving a log to a file Target file — name of the file where the log will be saved. By default, a name derived from the file name is set.
  • Page 267 22.2 Logs Context Menu Hint Select a new encoding type if special characters are not printed correctly in non-English versions. Log Settings A dialog where log parameters such as log file name, rotation and Syslog parameters can be set. These parameters can also be set in the Log settings tab under Configuration Accounting.
  • Page 268 Chapter 22 Logs Highlighting rules are ordered in a list. The list is processed from the top. The first rule meeting the criteria stops other processing and the found rule is highlighted by the particular color. Thanks to these features, it is possible to create even more complex combinations of rules, exceptions, etc.

  • Page 269: Alert Log

    22.3 Alert Log 22.3 Alert Log The Alert log provides a complete history of alerts generated by WinRoute (e.g. alerts upon virus detection, dialing and hanging-up, reached quotas, detection of P2P networks, etc.). Each event in the Alert log includes a time stamp (date and time when the event was logged) and information about an alert type (in capitals).

  • Page 270: Connection Log

    Chapter 22 Logs Example [18/Apr/2008 10:27:46] james - insert StaticRoutes set Enabled=’1’, Description=’VPN’, Net=’192.168.76.0’, Mask=’255.255.255.0’, Gateway=’192.168.1.16’, Interface=’LAN’, Metric=’1’ [18/Apr/2008 10:27:46] — date and time when the record was written jsmith — the login name of the user logged in the WinRoute administration —...

  • Page 271: Debug Log

    22.6 Debug Log [18/Apr/2008 10:22:47] — date and time when the event was logged (note: Con- nection logs are saved immediately after a disconnection). [ID] 613181 — WinRoute connection identification number [Rule] NAT — name of the traffic rule which has been used (a rule by which the traffic was allowed or denied).
  • Page 272 Chapter 22 Logs Figure 22.8 Expression for traffic monitored in the debug log The expression must be defined with special symbols. After clicking on the Help button, a brief description of possible conditions and examples of their use will be displayed. Logging of IP traffic can be cancelled by leaving or setting the Expression entry blank.

  • Page 273: Dial Log

    22.7 Dial Log WAN / Dial-up messages information about dialed lines (request dialing, auto disconnection down-counter), Filtering — logs proving information on filtering of traffic passing through WinRoute (antivirus control, website classification, detection and elimination of P2P networks, dropped packets, etc.), Accounting —...
  • Page 274 Chapter 22 Logs connection time 00:15:53, 1142391 bytes received, 250404 bytes transmitted The first log item is recorded upon reception of a hang-up request. The log provides information about interface name, client type, IP address and username. The second event is logged upon a successful hang-up. The log provides information about interface name, time of connection (connection time), volume of incoming and outgoing data in bytes (bytes received and bytes transmitted).

  • Page 275: Error Log

    22.8 Error Log Another event is logged upon a successful connection (i.e. when the line is dialed, upon authentication on a remote server, etc.). Connection error (e.g. error at the modem was detected, dial-up was disconnected, etc.) [15/Mar/2008 15:59:08] DNS query for "www.microsoft.com" (packet UDP 192.168.1.2:4579 ->...

  • Page 276: Filter Log

    Chapter 22 Logs 8100-8199 — errors of the Kerio Web Filter module 8200-8299 — authentication subsystem errors 8300-8399 — anti-virus module errors (anti-virus test not successful, problems when storing temporary files, etc.) 8400-8499 — dial-up error (unable to read defined dial-up connections, line configu- ration error, etc.) 8500-8599 —...

  • Page 277: Http Log

    22.10 Http log Packet log example [16/Apr/2008 10:51:00] PERMIT ’Local traffic’ packet to LAN, proto:TCP, len:47, ip/port:195.39.55.4:41272 -> 192.168.1.11:3663, flags: ACK PSH, seq:1099972190 ack:3795090926, win:64036, tcplen:7 [16/Apr/2008 10:51:00] — date and time when the event was logged PERMIT — action that was executed with the packet (PERMIT, DENY or DROP) Local traffic —...

  • Page 278: Security Log

    Chapter 22 Logs An example of an HTTP log record in the Apache format 192.168.64.64 - jflyaway [18/Apr/2008:15:07:17 +0200] "GET http://www.kerio.com/ HTTP/1.1" 304 0 +4 192.168.64.64 — IP address of the client host rgabriel — name of the user authenticated through the firewall (a dash is displayed if no user is authenticated through the client) [18/Apr/2008:15:07:17 +0200] —...
  • Page 279 22.11 Security Log Example [17/Jul/2008 11:46:38] Anti-Spoofing: Packet from LAN, proto:TCP, len:48, ip/port:61.173.81.166:1864 -> 195.39.55.10:445, flags: SYN, seq:3819654104 ack:0, win:16384, tcplen:0 packet from — packet direction (either from, i.e. sent via the interface, or to, i.e. received via the interface) LAN —...

  • Page 280: Sslvpn Log

    Chapter 22 Logs administration interface, WebAdmin SSL = secure web administration interface, Proxy = proxy server user authentication) <IP address> — IP address of the computer from which the user attempted to authenticate <reason> — reason of the authentication failure (nonexistent user / wrong pass- word) Note: For detailed information on user quotas, refer to chapters 15.1...

  • Page 281: Web Log

    22.14 Web Log 3000-3999 — warning from individual WinRoute modules (e.g. DHCP server, anti-virus check, user authentication, etc.) 4000-4999 — license warnings (subscription expiration, forthcoming expiration of WinRoute’s license, Kerio Web Filter license, or the McAfee anti-virus license) Note: License expiration is considered to be an error and it is logged into the Error log. Examples of Warning logs [15/Apr/2008 15:00:51] (3004) Authentication subsystem warning: Kerberos 5 auth:...
  • Page 282 Chapter 22 Logs Note: If the page title cannot be identified (i.e. for its content is compressed), the "Encoded content" will be reported. http://www.kerio.com/ — URL pages...

  • Page 283: Kerio Vpn

    Chapter 23 Kerio VPN WinRoute enables secure interconnection of remote private networks using an encrypted tun- nel and it provides clients secure access to their local networks via the Internet. This method of interconnection of networks (and of access of remote clients to local networks) is called virtual private network (VPN).

  • Page 284: Vpn Server Configuration

    Chapter 23 Kerio VPN No special user accounts must be created for VPN clients. User accounts in WinRoute (or domain accounts if the Active Directory is used — see chapter 10.1) are used for authentication. Statistics about VPN tunnels and VPN clients can be viewed in WinRoute (refer to chap- ter 20.2).
  • Page 285 23.1 VPN Server Configuration Figure 23.2 VPN server settings — basic parameters The action will be applied upon clicking the Apply button in the Interfaces tab. IP address assignment Specification of a subnet (i.e. IP address and a corresponding network mask) from which IP addresses will be assigned to VPN clients and to remote endpoints of VPN tunnels which connect to the server (all clients will be connected through this subnet).
  • Page 286 Chapter 23 Kerio VPN later). Regarding two VPN tunnels, it is also examined when establishing a connection whether the VPN subnet does not collide with IP ranges at the other end of the tunnel (remote endpoint). If a collision with an IP range is reported upon startup of the VPN server (upon click- ing Apply in the Interfaces tab), the VPN subnet must be set by hand.
  • Page 287 23.1 VPN Server Configuration Figure 23.4 VPN server settings — specification of DNS servers for VPN clients If the DNS module is already used as a DNS server for local hosts, it is recommended to use it also for VPN clients. The DNS module provides the fastest responses to client DNS requests and possible collision (inconsistency) of DNS records will be avoided.
  • Page 288 Chapter 23 Kerio VPN WINS configuration for VPN clients WINS service is used for resolution of hostnames to IP addresses within Microsoft Windows networks. Assigning of a WINS server address then allows VPN clients browse in LAN hosts (Network Neighborhood / My Network Places). Figure 23.5 VPN server settings —...

  • Page 289: Configuration Of Vpn Clients

    23.2 Configuration of VPN clients Figure 23.6 VPN server settings — server port and routes for VPN clients Custom Routes Other networks to which a VPN route will be set for the client can be specified in this section. By default, routes to all local subnets at the VPN server’s side are defined — see chapter 23.4).
  • Page 290 Chapter 23 Kerio VPN Note: Remote VPN clients connecting toWinRoute are included toward the number of persons using the license (see chapters and 4.6). Be aware of this fact when deciding on what license type should be purchased (or whether an add-on for upgrade to a higher number of users for the license should be bought).

  • Page 291: Interconnection Of Two Private Networks Via The Internet (Vpn Tunnel)

    23.3 Interconnection of two private networks via the Internet (VPN tunnel) 23.3 Interconnection of two private networks via the Internet (VPN tunnel) WinRoute with support for VPN (VPN support is included in the typical installation) must be installed in both networks to enable creation of an encrypted tunnel between a local and a remote network via the Internet (“VPN tunnel”).
  • Page 292 Chapter 23 Kerio VPN Name of the tunnel Each VPN tunnel must have a unique name. This name will be used in the table of inter- faces, in traffic rules (see chapter 7.3) and interface statistics (details in chapter 20.2). Configuration Selection of a mode for the local end of the tunnel: Active —...
  • Page 293 23.3 Interconnection of two private networks via the Internet (VPN tunnel) Figure 23.9 VPN tunnel — certificate fingerprints DNS Settings DNS must be set properly at both sends of the tunnel so that it is possible to connect to hosts in the remote network using their DNS names.
  • Page 294 Chapter 23 Kerio VPN Figure 23.10 VPN tunnel’s routing configuration Connection establishment Active endpoints automatically attempt to recover connection whenever they detect that the corresponding tunnel has been disconnected (the first connection establishment is attempted immediately after the tunnel is defined and upon clicking the Apply button in Configuration Interfaces, i.e.
  • Page 295 23.3 Interconnection of two private networks via the Internet (VPN tunnel) Note: VPN tunnels keeps their connection (by sending special packets in regular time intervals) even if no data is transmitted. This feature protects tunnels from disconnection by other firewalls or network devices between ends of tunnels. Traffic Policy Settings for VPN Once the VPN tunnel is created, it is necessary to allow traffic between the LAN and the network connected by the tunnel and to allow outgoing connection for the Kerio VPN service (from...

  • Page 296: Exchange Of Routing Information

    Chapter 23 Kerio VPN Traffic rules set by this method allow full IP communication between the local network, remote network and all VPN clients. For access restrictions, define corresponding traffic rules (for local traffic, VPN clients, VPN tunnel, etc.). Examples of traffic rules are provided in chapter 23.5.

  • Page 297: Example Of Kerio Vpn Configuration: Company With A Filial Office

    23.5 Example of Kerio VPN configuration: company with a filial office Routes provided automatically Unless any custom routes are defined, the following rules apply to the interchange of routing information: default routes as well as routes to networks with default gateways are not exchanged (default gateway cannot be changed for remote VPN clients and/or for remote end- points of a tunnel), routes to subnets which are identical for both sides of a tunnel are not exchanged...
  • Page 298 Chapter 23 Kerio VPN The server (default gateway) of the headquarters uses the public IP address 63.55.21.12 (DNS name is newyork.company.com), the server of the branch office uses a dynamic IP address assigned by DHCP. The local network of the headquarters consists of two subnets, LAN 1 and LAN 2. The head- quarters uses the company.com DNS domain.
  • Page 299 23.5 Example of Kerio VPN configuration: company with a filial office Common method The following actions must be taken in both local networks (i.e. in the main office and the filial): It is necessary that WinRoute in version 6.0.0 or higher (older versions do not include Kerio VPN) is installed at the default gateway.
  • Page 300 Chapter 23 Kerio VPN In traffic rules, allow traffic between the local network, remote network and VPN clients and set desirable access restrictions. In this network configuration, all desirable restric- tions can be set at the headquarter’s server. Therefore, only traffic between the local network and the VPN tunnel will be enabled at the filial’s server.
  • Page 301 23.5 Example of Kerio VPN configuration: company with a filial office In step 5, select Create rules for Kerio VPN server. Status of the Create rules for Kerio Clientless SSL-VPN option is irrelevant (this example does not include Clientless SSL-VPN interface’s issues).
  • Page 302 Chapter 23 Kerio VPN Figure 23.17 Headquarter — DNS forwarding settings Set the IP address of this interface (10.1.1.1) as a primary DNS server for the WinRoute host’s interface connected to the LAN 1 local network. It is not necessary to set DNS server at the interface connected to LAN 2 —...
  • Page 303 23.5 Example of Kerio VPN configuration: company with a filial office Set the IP address 10.1.1.1 as a primary DNS server also for the other hosts. Note: For proper functionality of DNS, the DNS database must include records for hosts in a corresponding local network.
  • Page 304 Chapter 23 Kerio VPN Create a passive end of the VPN tunnel (the server of the branch office uses a dynamic IP address). Specify the remote endpoint’s fingerprint by the fingerprint of the certificate of the branch office VPN server. Figure 23.20 Headquarter —...
  • Page 305 23.5 Example of Kerio VPN configuration: company with a filial office Figure 23.21 Headquarter — final traffic rules Rules defined this way meet all the restriction requirements. Traffic which will not match any of these rules will be blocked by the default rule (see chapter 7.3). Configuration of a filial office Install WinRoute (version 6.0.0 or later) at the default gateway of the branch office (“server”).
  • Page 306 Chapter 23 Kerio VPN In this case, it would be meaningless to create rules for the Kerio VPN server and/or the Kerio Clientless SSL-VPN, since the server uses a dynamic public IP address). Therefore, leave these options disabled in step 5. Figure 23.23 A filial —...
  • Page 307 23.5 Example of Kerio VPN configuration: company with a filial office Figure 23.25 Filial office — DNS forwarding settings Figure 23.26 Filial office — TCP/IP configuration at a firewall’s interface connected to the local network Set the IP address 192.168.1.1 as a primary DNS server also for the other hosts. Note: For proper functionality of DNS, the DNS database must include records for hosts in a corresponding local network.
  • Page 308 Chapter 23 Kerio VPN certificate provided by a certification authority is available). Note: A free subnet which has been selected is now specified automatically in the VPN network and Mask entries. Figure 23.27 Filial office — VPN server configuration For a detailed description on the VPN server configuration, refer to chapter 23.1. Create an active endpoint of the VPN tunnel which will connect to the headquarters server (newyork.company.com).
  • Page 309 23.5 Example of Kerio VPN configuration: company with a filial office Figure 23.28 Filial office — definition of VPN tunnel for the headquarters Figure 23.29 Filial office — final traffic rules Note: It is not necessary to perform any other customization of traffic rules. The required restrictions should be already set in the traffic policy at the server of the headquarters.

  • Page 310: Example Of A More Complex Kerio Vpn Configuration

    Chapter 23 Kerio VPN VPN test Configuration of the VPN tunnel has been completed by now. At this point, it is recommended to test availability of the remote hosts from each end of the tunnel (from both local networks). For example, the ping or/and tracert operating system commands can be used for this testing.
  • Page 311 23.6 Example of a more complex Kerio VPN configuration headquarters uses domain filials subdomains company.com, santaclara.company.com and newyork.company.com. Configuration of individual local networks and the IP addresses used are shown in the figure. Figure 23.30 Example of a VPN configuration — a company with two filials Common method The following actions must be taken in all local networks (i.e.
  • Page 312 Chapter 23 Kerio VPN To provide correct forwarding of DNS requests from a WinRoute host, it is necessary to use an IP address of a network device belonging to the host as the primary DNS server. As a secondary DNS server, a server where DNS requests addressed to other domains will be forwarded must be specified (typically the ISP’s DNS server).
  • Page 313 23.6 Example of a more complex Kerio VPN configuration The following sections provide detailed description of the Kerio VPN configuration both for the headquarter and the filial offices. Headquarters configuration Install WinRoute (version 6.1.0 or higher) at the default gateway of the headquarters network.
  • Page 314 Chapter 23 Kerio VPN This step will create rules for connection of the VPN server as well as for communication of VPN clients with the local network (through the firewall). Figure 23.33 Headquarter — default traffic rules for Kerio VPN Customize DNS configuration as follows: In the WinRoute’s DNS module configuration, enable DNS forwarder (forwarding of DNS requests to other servers).
  • Page 315 23.6 Example of a more complex Kerio VPN configuration Figure 23.35 Headquarter — TCP/IP configuration at a firewall’s interface connected to the local network...
  • Page 316 Chapter 23 Kerio VPN Enable the VPN server and configure its SSL certificate (create a self-signed certificate if no certificate provided by a certification authority is available). Note: A free subnet which has been selected is now specified automatically in the VPN network and Mask entries.
  • Page 317 23.6 Example of a more complex Kerio VPN configuration Create a passive endpoint of the VPN tunnel connected to the London filial. Use the fin- gerprint of the VPN server of the London filial office as a specification of the fingerprint of the remote SSL certificate.
  • Page 318 Chapter 23 Kerio VPN Figure 23.38 The headquarters — routing configuration for the tunnel connected to the London filial Warning In case that the VPN configuration described here is applied (see figure 23.30), it is un- recommended to use automatically provided routes! In case of an automatic exchange of routes, the routing within the VPN is not be ideal (for example, any traffic between the headquarters and the Paris filial office is routed via the London filial whereas the tunnel between the headquarters and the Paris office stays waste.
  • Page 319 23.6 Example of a more complex Kerio VPN configuration Use the same method to create a passive endpoint for the tunnel connected to the Paris filial. Figure 23.39 The headquarters — definition of VPN tunnel for the Paris filial On the Advanced tab, select the Use custom routes only option and set routes to the sub- nets at the remote endpoint of the tunnel (i.e.
  • Page 320 Chapter 23 Kerio VPN Figure 23.40 The headquarters — routing configuration for the tunnel connected to the Paris filial Figure 23.41 Headquarter — final traffic rules...
  • Page 321 23.6 Example of a more complex Kerio VPN configuration Configuration of the London filial Install WinRoute (version 6.1.0 or higher) at the default gateway of the filial’s network. Use Network Rules Wizard (see chapter 7.1) to configure the basic traffic policy in WinRoute. To keep the example as simple as possible, it is supposed that the access from the local network to the Internet is not restricted, i.e.
  • Page 322 Chapter 23 Kerio VPN This step will create rules for connection of the VPN server as well as for communication of VPN clients with the local network (through the firewall). Figure 23.44 The London filial office — default traffic rules for Kerio VPN Customize DNS configuration as follows: In the WinRoute’s DNS module configuration, enable DNS forwarder (forwarding of DNS requests to other servers).
  • Page 323 23.6 Example of a more complex Kerio VPN configuration Figure 23.46 The London filial office — VPN server configuration For a detailed description on the VPN server configuration, refer to chapter 23.1. Create an active endpoint of the VPN tunnel which will connect to the headquarters server (newyork.company.com).
  • Page 324 Chapter 23 Kerio VPN branch office server. Figure 23.47 The London filial office — definition of VPN tunnel for the headquarters...
  • Page 325 23.6 Example of a more complex Kerio VPN configuration Figure 23.48 The London filial — routing configuration for the tunnel connected to the headquarters...
  • Page 326 Chapter 23 Kerio VPN Create a passive endpoint of the VPN tunnel connected to the Paris filial. Use the finger- print of the VPN server of the Paris filial office as a specification of the fingerprint of the remote SSL certificate. Figure 23.49 The London filial office —...
  • Page 327 23.6 Example of a more complex Kerio VPN configuration Figure 23.50 The London filial — routing configuration for the tunnel connected to the Paris branch office Figure 23.51 The London filial office — final traffic rules...
  • Page 328 Chapter 23 Kerio VPN Configuration of the Paris filial Install WinRoute (version 6.1.0 or higher) at the default gateway of the filial’s network. Use Network Rules Wizard (see chapter 7.1) to configure the basic traffic policy in WinRoute. To keep the example as simple as possible, it is supposed that the access from the local network to the Internet is not restricted, i.e.
  • Page 329 23.6 Example of a more complex Kerio VPN configuration Customize DNS configuration as follows: In the WinRoute’s DNS module configuration, enable DNS forwarder (forwarding of DNS requests to other servers). Enable the Use custom forwarding option and define rules for names in the company.com and filial1.company.com domains.
  • Page 330 Chapter 23 Kerio VPN Figure 23.55 The Paris filial office — VPN server configuration...
  • Page 331 23.6 Example of a more complex Kerio VPN configuration Create an active endpoint of the VPN tunnel which will connect to the headquarters server (newyork.company.com). Use the fingerprint of the VPN server of the headquarters as a specification of the fingerprint of the remote SSL certificate. Figure 23.56 The Paris filial office —...
  • Page 332 Chapter 23 Kerio VPN Paris branch office server. Figure 23.57 The Paris filial — routing configuration for the tunnel connected to the headquarters...
  • Page 333 23.6 Example of a more complex Kerio VPN configuration Create active endpoint tunnel connected London (server Use the fingerprint of the VPN server of the London gw-london.company.com). filial office as a specification of the fingerprint of the remote SSL certificate. Figure 23.58 The Paris filial office —...
  • Page 334 Chapter 23 Kerio VPN Figure 23.59 The Paris filial — routing configuration for the tunnel connected to the London branch office Figure 23.60 The Paris filial office — final traffic rules connect to this branch office). VPN test The VPN configuration has been completed by now. At this point, it is recommended to test reachability of the remote hosts in the other remote networks (at remote endpoints of individ- ual tunnels).

  • Page 335: Kerio Clientless Ssl-Vpn (Windows)

    Chapter 24 Kerio Clientless SSL-VPN (Windows) Kerio Clientless SSL-VPN (thereinafter “SSL-VPN”) is a special interface used for secured remote access to shared items (files and folders) in the network protected by WinRoute via a web browser. This interface is available only in WinRoute on Windows. To a certain extent, the SSL-VPN interface is an alternative to Kerio VPN Client (see chapter 23).
  • Page 336 Chapter 24 Kerio Clientless SSL-VPN (Windows) SSL-VPN interface configuration The SSL-VPN interface can be enabled/disabled on the Web Interface SSL-VPN in the Config- uration Advanced Options section. Figure 24.1 Configuration of the SSL-VPN interface Through the Advanced button, you can get to configuration of a port and SSL certificate for the SSL-VPN interface.

  • Page 337: Usage Of The Ssl-Vpn Interface

    24.2 Usage of the SSL-VPN interface Allowing access from the Internet Access to the SSL-VPN interface from the Internet must be allowed by defining a traffic rule allowing connection to the firewall’s HTTPS service. For details, see chapter 7.4. Figure 24.3 Traffic rule allowing connection to the SSL-VPN interface Note: If the port for SSL-VPN interface is changed, it is also necessary to modify the Service item in this rule! Antivirus control...

  • Page 338: Specific Settings And Troubleshooting

    Chapter 25 Specific settings and troubleshooting This chapter provides description of advanced features and specific configurations of the fire- wall. It also includes helpful guidelines for solving of issues which might occur when you use WinRoute in your network. 25.1 Configuration Backup and Transfer If you need to reinstall the firewall’s operating system (e.g.

  • Page 339: Configuration Files

    25.2 Configuration files 25.2 Configuration files This chapter provides clear descriptions of WinRoute configuration and status files. This infor- mation can be helpful for example when troubleshooting specific issues in cooperation with the Kerio Technologies technical support department. For backup and recovery of your firewall configuration, it is recommended to use configuration export and import tools addressed in chapter 25.1! Configuration files All WinRoute configuration data is stored in the following files under the same directory where...

  • Page 340: Automatic User Authentication Using Ntlm

    Chapter 25 Specific settings and troubleshooting Status files In addition, WinRoute generates other files and directories where certain status information is saved: Files: dnscache.cfg DNS files stored in the DNS module’s cache (see chapter 8.1). leases.cfg IP addresses assigned by the DHCP server. This file keeps all information available on the Leases tab of the Configuration DHCP server section (refer to chapter 8.2).
  • Page 341 25.3 Automatic user authentication using NTLM General conditions The following conditions are applied to this authentication method: WinRoute Firewall Engine is running as a service or it is running under a user account with administrator rights to the WinRoute host. The server (i.e.
  • Page 342 Chapter 25 Specific settings and troubleshooting The configuration of the WinRoute’s web interface must include a valid DNS name of the server on which WinRoute is running (for details, see chapter 11.1). Figure 25.2 Configuration of WinRoute’s Web Interface Note: In the Software Appliance / VMware Virtual Appliance edition, the server name is set on the System Configuration tab (see chapter 16.1).

  • Page 343: Ftp On Winroute's Proxy Server

    25.4 FTP on WinRoute’s proxy server NTLM authentication arise, it is recommended to remove all usernames/passwords for the server where WinRoute is installed from the Password Manager. Firefox/SeaMonkey The browser displays the login dialog. For security reasons, automatic user authentica- tion is not used by default in the browser.
  • Page 344 Chapter 25 Specific settings and troubleshooting Terminal FTP clients (such as the ftp command in Windows or Linux) do not allow config- uration of the proxy server. For this reason, they cannot be used for our purposes. To connect to FTP servers, the proxy server uses the passive FTP mode. If FTP server is protected by a firewall which does not support FTP (this is not a problem of WinRoute), it is not possible to use proxy to connect to the server.
  • Page 345 25.4 FTP on WinRoute’s proxy server Figure 25.3 Configuring proxy server in Internet Explorer 6.0 Hint To configure web browsers, you can use a configuration script or the automatic detection of configuration. For details, see chapter 8.4. Note: Web browsers used as FTP clients enable only to download files. Uploads to FTP server via web browsers are not supported.

  • Page 346: Internet Links Dialed On Demand

    Chapter 25 Specific settings and troubleshooting Figure 25.4 Setting proxy server for FTP in Total Commander Hint The defined proxy server is indexed and saved to the list of proxy servers automatically. Later, whenever you are creating other FTP connections, you can simply select a corresponding proxy server in the list.
  • Page 347 25.5 Internet links dialed on demand If WinRoute receives a packet from the local network, it will compare it with the system routing table. If the packets goes out to the Internet, no record will be found, since there is no default route in the routing table.
  • Page 348 Chapter 25 Specific settings and troubleshooting from the local host to the Internet, the packet will be dropped by the operating system before the WinRoute driver is able to capture it. Typically the server is represented by the DNS name within traffic between clients and an Internet server.
  • Page 349 25.5 Internet links dialed on demand The Proxy server in WinRoute (see chapter 8.4) also provides direct dial-up connections. A special page providing information on the connection process is opened (the page is refreshed in short periods). Upon a successful connection, the browser is redirected to the specified Website.
  • Page 350 Chapter 25 Specific settings and troubleshooting All DNS names missing a suitable rule will be dialed automatically by the DNS module when demanded. In Actions for DNS name, you can select either the Dial or the Ignore option. Use the second option to block dialing of the line in response to a request for this DNS name.

  • Page 351: Technical Support

    Chapter 26 Technical support Free email and telephone technical support is provided for Kerio WinRoute Firewall. Contacts and more information can be found at http://www.kerio.com/support. Our technical sup- port staff is ready to help you with any problem you might have. You can also solve many problems alone (and sometimes even faster).

  • Page 352: Tested In Beta Version

    Chapter 26 Technical support as kerio_support_info.txt. Note: The kerio_support_info.txt is generated by the Administration Console. This implies that in case you connect to the administration remotely, this file will be stored on the computer from which you connect to the WinRoute administration (not on the computer/server where the WinRoute Firewall Engine is running).

  • Page 353: Legal Notices

    Appendix A Legal Notices Microsoft , Windows , Windows NT , Windows Vista , Internet Explorer , ActiveX , and Active Directory are registered trademarks or trademarks of Microsoft Corporation. Mac OS and Safari are registered trademarks or trademarks of Apple Computer, Inc. Linux is registered trademark kept by Linus Torvalds.

  • Page 354: Used Open Source Items

    Appendix B Used open source items Kerio WinRoute Firewall contains the following open-source software (open source): bindlib Copyright 1983, 1993 The Regents of the University of California. All rights reserved. Portions Copyright 1993 by Digital Equipment Corporation. Firebird This software embeds modified version of Firebird database engine distributed under terms of IPL and IDPL licenses.
  • Page 355 KVNET — driver Kerio Virtual Network Interface driver for Linux (driver for the Kerio VPN virtual network adapter) Copyright Kerio Technologies s.r.o. Homepage: http://www.kerio.com/ Kerio Virtual Network Interface driver for Linux is distributed and licensed under GPL version 2. The complete source code is available at: http://download.kerio.com/dwn/libkvnet.tgz KVNET —...
  • Page 356 Appendix B Used open source items Copyright 1999-2006 The PHP Group. All rights reserved. This product includes PHP software available for free at: http://www.php.net/software/ php_mbstring Copyright 2001-2004 The PHP Group. Copyright 1998-2002 HappySize, Inc. All rights reserved. Prototype Framework in JavaScript. Copyright Sam Stephenson.

  • Page 357: Glossary Of Terms

    Glossary of terms ActiveX This Microsoft’s proprietary technology is used for creation of dynamic objects for web pages. This technology provides many features, such as writing to disk or execution of commands at the client (i.e. on the host where the Web page is opened). This technology provides a wide range of features, such as saving to disk and running commands at the client (i.e.
  • Page 358 Glossary of terms DMZ (demilitarized zone) is a reserved network area where services available both from the Internet and from the LAN are run (e.g. a company’s public web server). DMZ provides an area, where servers accessible for public are be located separately, so they cannot be misused for cracking into the LAN.
  • Page 359 Ident The Ident protocol is used for identification of user who established certain TCP connec- tion from a particular (multi-user) system. TheIdent service is used for example by IRC servers, FTP servers and other services. More information (in English) can be found for example at Wikipedia. IMAP Internet Message Access Protocol (IMAP) enables clients to manage messages stored on a mail server without downloading them to a local computer.
  • Page 360 Glossary of terms will be redirected to this host. Packets that do not match with any record in the NAT table will be dropped. destination address translation (Destination NAT, DNAT, it is also called port mapping) — is used to enable services in the local network from the Internet. If any packet incoming from the Internet meets certain requirements, its IP address will be substituted by the IP address of the local host where the service is running and the packet is sent to this host.
  • Page 361 Ports 1-1023 are reserved and used by well known services (e.g. 80 = WWW). Ports above 1023 can be freely used by any application. PPTP Microsoft’s proprietary protocol used for design of virtual private networks. See chapters and sections concerning VPN. Private IP addresses Local networks which do not belong to the Internet (private networks) use reserved ranges of IP addresses (private addresses).
  • Page 362 Glossary of terms Routing table The information used by routers when making packet forwarding decisions (so called routes). Packets are routed according to the packet’s destination IP address. On Windows, routing table can be printed by the route print command, while on Unix systems (Linux, Mac OS X, etc.) by the route command.
  • Page 363 RST (Reset) — request on termination of a current connection and on initiation of a new one URG (Urgent) — urgent packet PSH (Push) — request on immediate transmission of the data to upper TCP/IP layers FIN (Finalize) — connection finalization TCP/IP Name used for all traffic protocols used in the Internet (i.e.

  • Page 364: Index

    Index URL exceptions Active Directory certificate domain mapping SSL-VPN import of user accounts VPN server mapping of other domains Web Interface administration Clientless SSL-VPN remote 18, antivirus check Administration Console certificate columns configuration views setup deployment alerts port overview traffic rule settings user right 198, templates...
  • Page 365 local domain dynamic DNS Kerberos Kerio Administration Console Kerio Web Filter FTP 147, 186, deployment filtering rules parameters configuration full cone NAT website categories groups language interface throughput charts Administration Console IP address of alerts of forbidden words Web Administration license user groups 190, 196, expiration...
  • Page 366 Index registration media hairpinning at the Kerio website multihoming of purchased product trial version relay SMTP server NAT 84, routing table full cone NAT 87, static routes NT domain import of user accounts NTLM 138, services 82, configuration of web browsers deployment SSL-VPN WinRoute configuration...
  • Page 367 traffic policy Kerio Clientless SSL-VPN created by wizard Kerio VPN default rule routing definition server 48, exceptions SSL certificate Internet access limiting tunnel wizard VPN client transparent proxy Trial ID routing TTL 125, static IP address WINS VPN tunnel uninstallation configuration update antivirus...

Table of Contents