Administrator’s Guide Kerio Technologies
Kerio Technologies. All Rights Reserved. Release Date: March 14, 2007 This guide provides detailed description on the Kerio WinRoute Firewall, version 6.3.0. All additional modifications and updates reserved. For current product version, check http://www.kerio.com/kwfdwn. Information regarding registered trademarks and trademarks are provided in attachment A.
Contents 1 Quick Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Kerio WinRoute Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Conflicting software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7 Bandwidth Limiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1 How the bandwidth limiter works and how to use it . . . . . . . . . . . . . . . . 7.2 Bandwidth Limiter configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3 Detection of connections with large data volume transferred . . . . . . . 8 User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14 Remote Administration and Update Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 14.1 Setting Remote Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 14.2 Update Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 15 Advanced security features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15.1 P2P Eliminator . . . . . . . . . . . . . . . . .
20.7 20.8 20.9 20.10 20.11 20.12 20.13 20.14 21 Dial Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Error Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Filter Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Http log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A Legal Presumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 B Used open-source libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 Glossary of terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 1 Quick Checklist In this chapter you can find a brief guide for a quick setup of “Kerio WinRoute Firewall” (called briefly “WinRoute” in further text). After this setup the firewall should be immediately available and able to share your Internet connection and protect your local network. For a detailed guide refer to the separate WinRoute — Step-by-Step Configuration guide.
7. Define IP groups (chapter 12.1), time ranges (chapter 12.2) and URL groups (chapter 12.4), that will be used during rules definition (refer to chapter 12.2). 8. Create URL rules (chapter 10.2) and set the ISS OrangeWeb Filter module (chapter 10.4). Set HTTP cache and automatic configuration of browsers (chapter 5.6). Define FTP rules (chapter 10.6). 9. Select an antivirus and define types of objects that will be scanned.
Chapter 2 Introduction 2.1 Kerio WinRoute Firewall Kerio WinRoute Firewall 6.0 is a complex tool for connection of the local network to the Internet and protection of this network from intrusions. It is developed for OS Windows 2000, XP and 2003. Basic Features Transparent Internet Access With Network Address Translation (NAT) technology, the local private network can be connected to the Internet through a single public IP address (static or dynamic).
2.1 Kerio WinRoute Firewall Protocol Maintenance (Protocol Inspectors) You may come across applications that do not support the standard communication and that may for instance use incompatible communication protocols, etc. To challenge this problem, WinRoute includes so-called protocol inspectors, which identify the appropriate application protocol and modify the firewall’s behavior dynamically, such as temporary access to a specific port (it can temporarily open the port demanded by the server).
Chapter 2 Introduction Antivirus control WinRoute can perform antivirus check of transmitted files. For this purpose, either the built-in McAfee antivirus or an external antivirus program (e.g. NOD32, AVG, etc.) are available. Antivirus check can be applied to HTTP, FTP, SMTP and POP3 protocols.
2.2 Conflicting software Clientless SSL-VPN The role of the VPN solution which requires a special application at the client side can be supplied by remote access to a private network using a web browser. Clientless SSL-VPN enables browsing through hosts and shared items in remote networks as well as files downloads and saving. The traffic is secured by SSL (HTTPS). 2.
Chapter 2 Introduction • 1900/UDP — SSDP Discovery service • 2869/TCP — UPnP Host service The SSDP Discovery and UPnP Host services are included in the UPnP support (refer to chapter 16.3). • 44333/TCP+UDP — traffic between Kerio Administration Console and WinRoute Firewall Engine. This service cannot be stopped. The following services use corresponding ports by default. Ports for these services can be changed.
2.3 Installation 2.3 Installation System requirements Requirements on minimal hardware parameters of the host where WinRoute will be installed: • CPU 1 GHz • 512 MB RAM • 2 network interfaces • 50 MB free disk space (for the installation) • Disk space for statistics (see chapter 19) and logs (in accordance with traffic flow and logging level — see chapter 20) • For maximum protection of the installed product (particularly its configuration files), it is recommended to use the NTFS file system.
Chapter 2 Introduction We recommend you to check through the following items before you run WinRoute installation: • Time of the operating system should be set correctly (for timely operating system and antivirus upgrades, etc.) • The latest service packs and any Microsoft recommended security updates should be applied. • TCP/IP parameters should be set for all available network adapters • All network connections (both to the local network and to the Internet) should function properly.
2.3 Installation Figure 2.1 Figure 2.2 Custom installation — selecting optional components Installation — verifying compatibility of the low-level driver with Windows XP Notes: 1.
Chapter 2 Introduction the operating system). However, the drivers provided within the WinRoute installation package have been tested on all supported Windows operating systems. Therefore, these drivers may be considered as compatible. The Kerio WinRoute Firewall Device low-level driver (Kerio WinRoute Firewall Driver — Lower Layer) is required to be installed for each network adapter. Therefore, the total number of alerts depends on the number of network adapters in the system. 2.
2.3 Installation Conflicting Applications and System Services The WinRoute installation program detects applications and system services that might conflict with the WinRoute Firewall Engine. 1. Windows Firewall’s system components 1 and Internet Connection Sharing. These components provide the same low-level functions as WinRoute. If they are running concurrently with WinRoute, the network communication would not be functioning correctly and WinRoute might be unstable.
Chapter 2 Introduction Figure 2.3 Disabling colliding system services during installation in the warning log. This helps assure that the service will be enabled immediately after the WinRoute installation. 2. In Windows XP Service Pack 2, WinRoute automatically registers in the Security Center. This implies that the Security Center always indicates firewall status correctly and it does not display warnings informing that the system is not protected. 2.
2.5 WinRoute Engine Monitor Note: WinRoute Firewall Engine is independent on the WinRoute Engine Monitor. The Engine can be running even if there is no icon in the System Tray on Windows or in the Dock in Mac OS X. Kerio Administration Console It is a versatile console for local or remote administration of Kerio server products. For successful connection to an application you need a plug-in with an appropriate interface.
Chapter 2 Introduction Start-up Preferences With these options WinRoute Engine and/or WinRoute Engine Monitor applications can be set to be launched automatically when the operating system is started. Both options are enabled by default. Administration Runs Kerio Administration Console (equal to double-clicking on the WinRoute Engine Monitor icon). Internet Usage Statistics Opens Internet Usage Statistics in the default browser. For details, see chapter 19.
2.6 Upgrade and Uninstallation Uninstallation To uninstall WinRoute, stop all three WinRoute components. The Add/Remove Programs option in the Control Panel launches the uninstallation process. All files under the WinRoute directory can be optionally deleted. (typically the path C:\Program Files\Kerio\WinRoute Firewall) — configuration files, SSL certificates, license key, logs, etc. Figure 2.
Chapter 2 Introduction Upgrade from WinRoute Pro 4.x To import your configuration used in WinRoute Pro 4.x to the Kerio WinRoute Firewall 6.x, follow these steps: 1. Upgrade the WinRoute Pro 4.x to the Kerio WinRoute Firewall 5.x. Version 5.x includes a tool for initial configuration, which is able to read and translate the configuration from the WinRoute Pro 4.x. 2. Upgrade version 5.x to version 6.x (see above). Note: This method of upgrade is not recommended. Do not use it unless necessary (e.g.
2.7 Configuration Wizard Figure 2.7 Initial configuration — Setting of administration username and password Remote Access Immediately after the first WinRoute Firewall Engine startup all network traffic will be blocked (desirable traffic must be permitted by traffic rules — see chapter 6). If WinRoute is installed remotely (i.e. using terminal access), communication with the remote client will be also interrupted immediately (WinRoute must be configured locally).
Chapter 2 Introduction Figure 2.8 Initial configuration — Allowing remote administration Warning: The remote access rule is disabled automatically when WinRoute is configured using the network policy wizard (see chapter 6.1).
Chapter 3 WinRoute Administration All Kerio products including WinRoute are administered through the Kerio Administration Console application(an application used for administration of all Kerio Technologies’ server products; thereinafter Administration Console). Using this program you can access WinRoute Firewall Engine either locally (from the Engine host) or remotely (from another host). Traffic between Administration Console and WinRoute Firewall Engine is encrypted.
Chapter 3 WinRoute Administration Figure 3.1 The main window of Administration Console for WinRoute Administration Window — Main menu The main menu provides the following options: File • Reconnect — reconnection to the WinRoute Firewall Engine after a connection drop-out (caused for example by a restart of the Engine or by a network error). • New connection — opens the main window of the Administration Console. Use a bookmark or the login dialog to connect to a server.
3.1 Administration Window Status bar The status bar at the bottom of the administration window displays the following information (from left to right): Figure 3.2 Administration Console status bar • The section of the administration window currently selected in the left column. This information facilitates navigation in the administration window when any part of the section tree is not visible (e.g. when a lower screen resolution is selected).
Chapter 3 WinRoute Administration After you remove the cause of the connection failure, the connection can be restored. If the reconnection attempt fails, only the error message is shown. You can then try to reconnect using the File → Restore connection option from the main menu, or close the window and restore the connection using the standard procedure. 3.2 View Settings Many sections of the Administration Console are in table form where each line represents one record (e.g.
3.2 View Settings Note: The width of individual columns can be adjusted by moving the dividing line between the column headers.
Chapter 4 Product Registration and Licensing When purchased, Kerio WinRoute Firewall must be registered. WinRoute must be registered at Kerio Technologies website (http://www.kerio.com/) after the purchase. So called license key will be generated upon a successful registration(the license.key file) that to be imported to WinRoute (refer to chapter 4.2). If the key is not imported, WinRoute will behave as a full-featured trial version and its license will be limited by the expiration timeout.
4.1 License types and number of users • update right expiration date — specifies the date by which WinRoute can be updated for free. When this date expires, WinRoute keeps functioning, however, it cannot be updated. The time for updates can be extended by purchasing a subscription. • product expiration date — specifies the date by which WinRoute stops functioning and blocks all TCP/IP traffic at the host where it is installed.
Chapter 4 Product Registration and Licensing 4.2 License information The license information can be displayed by selecting Kerio WinRoute Firewall (the first item in the tree in the left part of the Administration Console dialog window — this section is displayed automatically whenever the WinRoute administration is entered). Figure 4.1 Administration Console welcome page providing license information Product name of the product (WinRoute) Copyright Copyright information.
4.2 License information License ID License number or a special license name. Subscription expiration date Date until when the product can be upgraded for free. Product expiration date Date when the product expires and stops functioning (only for trial versions or special license types). Number of users Maximal number of hosts (unique IP addresses) that can be connected to the Internet via WinRoute at the same time (for details, refer to chapter 4.6).
Chapter 4 Product Registration and Licensing Figure 4.2 The Administration Console’s welcome page pop-up menu • Copy license number to clipboard — copies the license number (the ID licence item) to the clipboard. This may be helpful e.g. when ordering an upgrade or subscription, where the number of the base license is required, or when sending an issue to the Kerio Technologies technical support. • Register trial version — registration of the product’s trial version.
4.3 Registration of the product in the Administration Console Figure 4.3 Figure 4.4 3. Trial version registration — security code Trial version registration — user information Page three includes optional information. Is is not obligatory to answer these questions, however, the answers help Kerio Technologies accommodate demands of as many customers as possible.
Chapter 4 Product Registration and Licensing Figure 4.5 4. Trial version registration — other information The fourth page provides the information summary. If any information is incorrect, use the Back button to browse to a corresponding page and correct the data. Figure 4.
4.3 Registration of the product in the Administration Console 5. The last page of the wizard provides user’s Trial ID. This is ID is a unique code used for identification of the registered user when asking help at our technical support. Figure 4.7 Trial version registration — Trial ID At this point, an email message (in the language set in the Administration Console) where confirmation of the registration is demanded is sent to the email address specified on the page two of the wizard.
Chapter 4 Product Registration and Licensing Figure 4.
4.3 Registration of the product in the Administration Console Figure 4.9 Product registration — license numbers of additional components, add-ons and subscription 3. On the third page, enter information about the user (person, company). It is also necessary that the user accepts the Privacy Policy Terms. Otherwise, the information cannot be stored in the Kerio Technologies database. Use the E-mail address textfield to enter a valid email address.
Chapter 4 Product Registration and Licensing Figure 4.10 Product registration — user information Figure 4.
4.3 Registration of the product in the Administration Console 5. The last page provides the information summary. If any information is incorrect, use the Back button to browse to a corresponding page and correct the data. Figure 4.12 Product registration — summary Click on Finish to use the information to generate a unique license key. The new license is applied immediately (restart is not required). Note: If an error is reported upon finishing of the registration process (e.g.
Chapter 4 Product Registration and Licensing 4.4 Product registration at the website If, by any reason, registration of WinRoute cannot be performed from the Administration Console, it is still possible to register the product at Kerio Technologies website. The registration form can be found under Purchase → License Registration. The form is almost identical with the registration process described in chapter 4.3.
4.5 Subscription / Update Expiration Administrators are informed in two ways: • By a pop-up bubble tip (this function is featured by the WinRoute Engine Monitor module), • by an pop-up window upon a login to the Administration Console (only in case of expiration of subscription). Note: WinRoute administrators can also set posting of license or subscription expiration alerts by email or SMS (see chapter 17.3).
Chapter 4 Product Registration and Licensing Figure 4.14 The notice informing about upcoming subscription expiration Figure 4.15 The notice that the subscription has already expired 4.6 User counter This chapter provides a detailed description on how WinRoute checks whether number of licensed users has not been exceeded. The WinRoute license does not limit number of user accounts. Number of user accounts does not affect number of licensed users.
4.6 User counter Start WinRoute Upon WinRoute is started, the table of clients include the firewall only. Number of used licenses is zero. Note: Table of clients is displayed in the Active Hosts section in the Administration Console — see chapter 17.1. License counter Whenever a communication of any WinRoute’s client is detected, the IP address is used to identify whether a record does already exist in the table of clients.
Chapter 4 Product Registration and Licensing License release Idleness time (i.e. time for which no packet with a corresponding IP address meeting all conditions is detected) is monitored for each record in the table of clients. If the idleness time of a client reaches 15 minutes, the corresponding record is removed from the table and the number of licenses is decreased by 1. Released license can be used by another host.
Chapter 5 Settings for Interfaces and Network Services 5.1 Network interfaces WinRoute functions as a router for all WinRoute’s network interfaces installed within the system. The interfaces are listed in the Configuration → Interface section of the administration console. Figure 5.1 Network interfaces Interface The name used for interface identification within WinRoute. It should be unique for easy reference, e.g. Internet for the interface connected to the Internet connection.
Chapter 5 Settings for Interfaces and Network Services Adapter info Adapter identification string returned by the device driver. ID A unique identifier of the adapter in the operating system (see also chapter 23.2). MAC Hardware (MAC) address of a corresponding network adapter. Use the buttons at the bottom of the interface list to remove or edit properties of the chosen interface. If no interface is chosen or the selected interface does not support a certain function, appropriate buttons will be inactive.
5.1 Network interfaces • If a network adapter, a Dial-in interface or a VPN server is selected, these buttons are inactive. Refresh Use this button to refresh the list of interfaces. Note: Up to 128 IP addresses can be used for each network interface. Special interfaces In addition to network adapters, the following two interfaces are provided in the Interfaces section: Dial-In This interface represents the server of the RAS service (dial-up connection to the network) on the WinRoute host.
Chapter 5 Settings for Interfaces and Network Services Figure 5.2 Figure 5.3 Interface type selection Dial-ups — basic parameters Bind this interface... Select the Windows RAS connection that you use to connect to your ISP. Notes: 1. 2. WinRoute searches for connections only in the system “phonebook”.
5.1 Network interfaces Interface name Unique name that will identify the line within WinRoute. In the Dialing Settings tab you can specify the details of when and how the line will be dialed. Manual dialing is set as default. Figure 5.4 Dial-up — dialing parameters RAS Entry The Windows Dial-up Connection entry that has been selected in the Interface identification tab. The name RAS item is displayed for informational purposes.
Chapter 5 Settings for Interfaces and Network Services Connection Connection type that can be used for dialing: • Manual — the line can only be dialed manually, either from the Administration Console or from WinRoute’s Web interface (see chapter 9). • On Demand — the line will be dialed whenever a host on the LAN tries to access the Internet (incoming packet). To see details about the WinRoute and system on-demand dial configuration refer to chapter 16.2.
5.1 Network interfaces • The On demand dial enabled option is processed with the lowest priority. If the always option is selected, on-demand dial will be allowed anytime when it is not conflicting with the time range of the never option. Hangup if idle If the line is idle for the period defined, it will be hung up automatically. With each incoming or outgoing packet, the timer of inactivity is set to zero. There is no such thing as optimum length of the timeout period.
Chapter 5 Settings for Interfaces and Network Services Windows Task Manager. Under specific circumstances, such application might also block other dials or hang-ups. Edit Interface parameters Click Edit to modify parameters of a selected interface. The Interface properties dialog, identical with the dialog for adding of a new RAS dial-up, is opened in case of RAS dial-ups. Only the Interface name entry can be edited in case of network adapters.
5.2 Connection Failover Figure 5.7 Traffic policy for primary and alternative Internet connections Notes: 1. Traffic rules must be defined by the moment when Connection Failover Setup (see below) is enabled, otherwise the connection will not function properly. 2. Use the Default outgoing interface option in the NAT rule to ensure that the source IP address in packets going from the local network to the Internet is always resolved to the appropriate IP address (i.e.
Chapter 5 Settings for Interfaces and Network Services Figure 5.8 Configuration of primary and secondary Internet connection Notes: 1. 2. 3. Connection failover is enabled only if at least one probe host is specified (WinRoute is not able to detect fails of the primary connection unless at least one probe host is defined). Probe hosts must be represented by computers or network devices which are permanently running (servers, routers, etc.).
5.2 Connection Failover Primary connection Parameters of the primary Internet connection. The connection can be defined as follows: • network interface with a default gateway • dial-up connection Only interfaces and dial-up connections defined through the Interfaces tab are available in the Interface entry (see chapter 5.1).
Chapter 5 Settings for Interfaces and Network Services For these reasons we recommend you to set dial-up parameters as follows: • for the primary connection — persistent connection, • for secondary connection — on-demand dialing or manual dialing without an interval set for hanging-up when idle.
5.3 DNS Forwarder Figure 5.9 DNS forwarder settings Enable DNS forwarding This option switches between the on/off modes of the DNS Forwarder (the service is running on the port 53 and UDP protocol is used by this service). If DNS Forwarder is not used for your network configuration, it can be switched off. If you want to run another DNS server on the same host, DNS Forwarder must be switched off, or there will be a collision on the port.
Chapter 5 Settings for Interfaces and Network Services they are considered primary, secondary, etc.). This option should be used when there is the need to monitor where DNS queries are forwarded to or to create a more complex configuration. Enable cache for faster response of repeated queries If this option is on, all responses will be stored in local DNS Forwarder cache. Responses to repeated queries will be much faster (the same query sent by various clients is also considered as a repeated query).
5.3 DNS Forwarder Figure 5.10 Specific settings of DNS forwarding DNS server can be specified for: • DNS name — queries requiring names of computers will be forwarded to this DNS server (so called A queries) • a subnet — queries requiring IP addresses of the particular domain will be forwarded to the DNS server (reverse domain — PTR queries) Click on the Add or the Edit button to open a dialog where custom DNS forwarding rules can be defined.
Chapter 5 Settings for Interfaces and Network Services Figure 5.11 DNS forwarding — a new rule • Use the Reverse DNS query alternative to specify rule for DNS queries on IP addresses in a particular subnet. Subnet is specified by a network address and a corresponding mask (i.e. 192.168.1.0 / 255.255.255.0). • Use the Then forward query to DNS Server(s) field to specify IP address(es) of one or more DNS server(s) to which queries will be forwarded.
5.3 DNS Forwarder Before forwarding a query... These options allow setting of where the DNS Forwarder would search for the name or IP address before the query is forwarded to another DNS server. • ’hosts’ file — this file can be found in any operating system supporting TCP/IP. Each row of this file includes host IP addresses and a list of appropriate DNS names. When any DNS query is received, this file will be checked first to find out whether the desired name or IP address is included.
Chapter 5 Settings for Interfaces and Network Services domain to answer queries on fully qualified local DNS names (names including the domain). The problem can be better understood through the following example: The local domain’s name is company.com. The host called john is configured so as to obtain an IP address from the DHCP server. After the operating system is started the host sends to the DHCP server a query with the information about its name (john).
5.4 DHCP server Using DHCP brings two main benefits. First, the administration is much easier than with the other protocols as all settings may be done at the server (it is not necessary to configure individual workstations). Second, many network conflicts are eliminated (i.e. one IP address cannot be assigned to more than one workstation, etc.). DHCP Server Configuration To configure the DHCP server in WinRoute go to Configuration → DHCP Server.
Chapter 5 Settings for Interfaces and Network Services In the Item column, you can find subnets where scopes of IP addresses are defined. The IP subnet can be either ticked to activate the scope or unticked to make the scope inactive (scopes can be temporarily switched off without deleting and adding again). Each subnet includes also a list of reservations of IP addresses that are defined in it. In the Default options item (the first item in the table) you can set default parameters for DHCP server.
5.4 DHCP server Advanced Click on this button to open a dialog with a complete list of advanced parameters supported by DHCP (including the four mentioned above). Any parameter supported by DHCP can be added and its value can be set within this dialog. Default parameters are automatically matched with address scopes unless configuration of a particular scope is defined (the Address Scope → Options dialog).
Chapter 5 Settings for Interfaces and Network Services First address, Last address First and last address of the new scope. Note: If possible, we recommend you to define the scope larger than it would be defined for the real number of users within the subnet. Subnet mask Mask of the appropriate subnet. It is assigned to clients together with the IP address. Note: The Administration Console application monitors whether first and last address belong to the subnet defined by the mask.
5.4 DHCP server Parameters In the Address Scope dialog, basic DHCP parameters of the addresses assigned to clients can be defined: • Default Gateway — IP address of the router that will be used as the default gateway for the subnet from which IP addresses are assigned. IP address of the interface the network is connected to. Default gateway of another network would be useless (not available to clients). • DNS server — any DNS server (or more DNS servers separated with semicolons).
Chapter 5 Settings for Interfaces and Network Services Figure 5.17 Figure 5.18 DHCP server — DHCP settings DHCP server — statistics (leased and free IP addresses within the scope) Lease Reservations DHCP server enables the administrator to book an IP address for any host. To make the reservation click on the Add → Reservations button in the Scopes folder. Any IP address included in a defined subnet can be reserved.
5.4 DHCP server Figure 5.19 DHCP server — reserving an IP address or by dashes— for example: 00-bc-a5-f2-1e-50 The MAC address of a network adapter can be detected with operating system tools (i.e. with the ipconfig command) or with a special application provided by the network adapter manufacturer. • host name — DHCP requests of most DHCP clients include host names (i.e. all Windows operating systems), or the client can be set to send a host name (i.e. Linux operating system).
Chapter 5 Settings for Interfaces and Network Services Figure 5.20 DHCP server — list of leased and reserved IP addresses Columns in this section contain the following information: • Leased Address — leased IP address • Lease Expiration — date and time specifying expiration of the appropriate lease • MAC Address — hardware address of the host that the IP address is assigned to (including name of the network adapter manufacturer).
5.4 DHCP server The following columns are hidden by default: • Last Request Time — date and time when the recent request for a lease or lease extension was sent by a client • Lease Remaining Time — time remaining until the appropriate Lease Expiration Use the Release button to release a selected IP address immediately (independently of its status). Released addresses are considered free and can be assigned to other clients immediately.
Chapter 5 Settings for Interfaces and Network Services Figure 5.21 DHCP server — advanced options cause exceeding of the number of licensed users (if the IP scope for the RAS service is too large or/and an address is leased to RAS clients for too long time). Remote clients will be then allowed to connect and communicate with hosts in the local network, while they will not be allowed to connect to the Internet via WinRoute.
5.5 Proxy server most common situations: 1. To connect from the WinRoute host it is necessary to use the proxy server of your ISP. Proxy server included in WinRoute can forward all queries to so called parent proxy server). 2. Internet connection is performed via a dial-up and access to certain Web pages is blocked (refer to chapter 10.2).
Chapter 5 Settings for Interfaces and Network Services Figure 5.22 HTTP proxy server settings If you are not sure that the port you intend to use is free, click on the Apply button and check the Error log (check whether the report has or has not been logged) immediately. Enable connection to any TCP port This security option enables to allow or block so called tunneling of other application protocols (than HTTP, HTTPS and FTP) via the proxy server.
5.5 Proxy server Forward to parent proxy server Tick this option for WinRoute to forward all queries to the parent proxy server which will be specified by the following data: • Server — DNS name or IP address of parent proxy server and the port on which the server is running (3128 port is used by the default). • Parent proxy server requires authentication — enable this option if authentication by username and password is required by the parent proxy server. Specify the Username and Password login data.
Chapter 5 Settings for Interfaces and Network Services all local hosts by a single click. 5.6 HTTP cache Using cache to access Web pages that are opened repeatedly reduces Internet traffic (in case of line where traffic is counted, it is also remarkable that using of cache decreases total volume of transferred data). Downloaded files are saved to the harddisk of the WinRoute host so that it is not necessary to download them from the Web server again later.
5.6 HTTP cache Figure 5.23 HTTP cache configuration Cache size Size of the cache file on the disk. Maximal cache size allowed is 2 GB (2047 MB) Notes: 1. 2. 3. If 98 per cent of the cache is full, a so called cleaning will be run — this function will remove all objects with expired TTL. If no objects are deleted successfully, no other objects can be stored into the cache unless there is more free space on the disk (made by further cleaning or by manual removal).
Chapter 5 Settings for Interfaces and Network Services Memory cache size Maximal memory cache size in the main storage. This cache is used especially to accelerate records to the cache on the disk. If the value is too high the host’s performance can be affected negatively (cache size should not exceed 10 per cent of the computing memory). Max HTTP object size maximal size of the object that can be stored in cache. With respect to statistics, the highest number of requests are for small objects (i.e.
5.6 HTTP cache Note: Clients can always require a check for updates from the Web server (regardless of the cache settings). Use a combination of the Ctrl+F5 keys to do this using either the Microsoft Internet Explorer or the Firefox/Netscape/Mozilla/SeaMonkey browser. You can set browsers so that they will check for updates automatically whenever a certain page is opened (then you will only refresh the particular page).
Chapter 5 Settings for Interfaces and Network Services TTL TTL of objects matching with the particular URL. The 0 days, 0 hours option means that objects will not be cached. Cache status and administration WinRoute allows monitoring of the HTTP cache status as well as manipulation with objects in the cache (viewing and removing). Note: In older versions of WinRoute, these features were included in the web interface whereas since 6.3.0 they are integrated in the Administration Console.
5.6 HTTP cache TIP: By clicking and dragging or by clicking and using the Ctrl or Shift key, it is possible to select multiple objects. Figure 5.
Chapter 6 Traffic Policy Traffic Policy belongs to of the basic WinRoute configuration.
6.1 Network Rules Wizard Step 1 — information Figure 6.1 Traffic Policy Wizard — introduction To run successfully, the wizard requires the following parameters on the WinRoute host: • at least one active adapter connected to the local network • at least either one active adapter connected to the Internet or one dial-up defined. The dial-up needn’t be active to run the wizard.
Chapter 6 Traffic Policy Step 3 — network adapter or dial-up selection If the network adapter is used to connect the host to the Internet, it can be selected in the menu. To follow the wizard instructions easily, IP address, network mask and MAC address of the selected adapter are displayed as well. Figure 6.3 Network Policy Wizard — selection of a connected adapter Note: The Web interface with the default gateway is listed first.
6.1 Network Rules Wizard • Use login data from the RAS entry — username and password for authentication at the remote server will be copied from a corresponding Windows RAS entry. The RAS connection must be saved in the system “phonebook” (the connection must be available to any user). • Use the following login data — specify Username and Password that will be used for authentication at the remote server.
Chapter 6 Traffic Policy Allow access to the following services only Only selected services will be available from the local network. Note: In this dialog, only basic services are listed (it does not depend on what services were defined in WinRoute — see chapter 12.3). Other services can be allowed by definition of separate traffic policy rules— see chapter 6.3.
6.1 Network Rules Wizard The dialog window that will open a new service can be activated with the Add button. Figure 6.7 Figure 6.8 Network Policy Wizard — enabling local services Network Policy Wizard — mapping of the local service Service is running on Select a computer where the corresponding service is running (i.e.
Chapter 6 Traffic Policy Step 7 — NAT If you only use one public IP address to connect your private local network to the Internet, run the NAT function (IP address translation). Do not trigger this function if WinRoute is used for routing between two public networks or two local segments (neutral router). Figure 6.9 Traffic Policy Wizard — Internet connection sharing (NAT) Step 8 — generating the rules In the last step, traffic rules are generated in accordance with data specified.
6.1 Network Rules Wizard Figure 6.10 Network Rules Wizard — the last step Rules Created by the Wizard The traffic policy is better understood through the traffic rules created by the Wizard in the previous example. ICMP traffic This rule can be added whenever needed with no respect to settings within individual steps. You can use the PING command to send a request on a response from the WinRoute host. Important issues can be debugged using this command (i.e.
Chapter 6 Traffic Policy Figure 6.11 Traffic Policy generated by the wizard Local Traffic This rule enables all traffic between local hosts and the host where WinRoute is installed. The Source and Destination items within this rule include all WinRoute host’s interfaces except the interface connected to the Internet (this interface has been chosen in step 3). In this rule, the Source and Destination items cover also the Dial-In interface and a special group called Firewall.
6.1 Network Rules Wizard This implies that, by default, the rule allows traffic between the local network (firewall), remote networks connected via VPN tunnels and VPN clients connecting to the WinRoute’s VPN server. Note: Access to the WinRoute host is not limited as the Wizard supposes that this host belongs to the local network. Limitations can be done by modification of an appropriate rule or by creating a new one.
Chapter 6 Traffic Policy 6.2 How traffic rules work The traffic policy consists of rules ordered by their priority. When the rules are applied they are processed from the top downwards and the first suitable rule found is applied. The order of the rules can be changed with the two arrow buttons on the right side of the window. An explicit rule denying all traffic is shown at the end of the list. This rule cannot be edited or removed.
6.3 Definition of Custom Traffic Rules Figure 6.12 Traffic rule — name, color and rule description If the description is specified, the “bubble” symbol is displayed in the Name column next to the rule name. Place the mouse pointer over the bubble to view the rule description. It is recommended to describe all created rules for better reference (automatic descriptions are provided for rules created by the wizard).
Chapter 6 Traffic Policy A new source or destination item can be defined after clicking the Add button: • Host — the host IP address or name (e.g. 192.168.1.1 or www.company.com) Warning: If either the source or the destination computer is specified by DNS name, WinRoute tries to identify its IP address while processing a corresponding traffic rule. If no corresponding record is found in the cache, the DNS forwarder forwards the query to the Internet.
6.3 Definition of Custom Traffic Rules 1. Incoming VPN connections (VPN clients) — all VPN clients connected to the WinRoute VPN server via the Kerio VPN Client 2. VPN tunnel — network connected to this server from a remote server via the VPN tunnel The All option covers all networks connected by all VPN tunnels defined which are active at the particular moment. For detailed information on the proprietary VPN solution integrated in WinRoute, refer to chapter 21.
Chapter 6 Traffic Policy 1. If you require authentication for any rule, it is necessary to ensure that a rule exists to allow users to connect to the firewall authentication page. If users use each various hosts to connect from, IP addresses of all these hosts must be considered. 2. If user accounts or groups are used as a source in the Internet access rule, automatic redirection to the authentication page nor NTLM authentication will work.
6.3 Definition of Custom Traffic Rules Figure 6.16 Traffic rule — setting a service Use the Any button to replace all defined items with the Any item (this item is also used by default for all new rules). Whenever at least one new service is added, the Any value removed automatically. Use the Remove button to remove all items defined (the Nothing value will be displayed in the item list). Whenever at least one service is added, the Nothing value will be removed automatically.
Chapter 6 Traffic Policy Figure 6.17 Traffic rule — selecting an action • Permit — traffic will be allowed by the firewall • Deny — client will be informed that access to the address or port is denied. The client will be warned promptly, however, it is informed that the traffic is blocked by firewall. • Drop — all packets that fit this rule will be dropped by firewall. The client will not be sent any notification and will consider the action as a network outage.
6.3 Definition of Custom Traffic Rules • Log matching packets — all packets matching with rule (permitted, denied or dropped, according to the rule definition) will be logged in the Filter log. • Log matching connections — all connections matching this rule will be logged in the Connection log (only for permit rules). Individual packets included in these connections will not be logged. Note: Connections cannot be logged for deny nor drop rules. Translation Source or/and destination IP address translation.
Chapter 6 Traffic Policy know DNS name of your host, use the Resolve button to translate the DNS name to IP address. Warning: The IP address must be assigned to an interface (bound by TCP/IP stack) of the WinRoute host! Destination address translation (also called port mapping) is used to allow access to services hosted behind the firewall. All incoming packets that meet defined rules are re-directed to a defined host (destination address is changed).
6.3 Definition of Custom Traffic Rules Valid on Time interval within which the rule will be valid. Apart from this interval WinRoute ignores the rule. The special always option can be used to disable the time limitation (it is not displayed in the Traffic Policy dialog). When a denying rule is applied and/or when an allowing rule’s appliance terminates, all active network connections matching the particular rule are closed immediately.
Chapter 6 Traffic Policy Note: Use the Default option for the Protocol Inspector item if a particular service (see the Service item) is used in the rule definition (the protocol inspector is included in the service definition). 6.4 Basic Traffic Rule Types WinRoute traffic policy provides a range of network traffic filtering options. In this chapter you will find some rules used to manage standard configurations. Using these examples you can easily create a set of rules for your network configuration.
6.4 Basic Traffic Rule Types Translation In the Source NAT section select the Translate to IP address of outgoing interface option (the primary IP address of the interface via which packets go out from the WinRoute host will be used for NAT). To use another IP address for the IP translation, use the Translate to IP address option and specify the address. The address should belong to the addresses used for the Internet interface, otherwise IP translations will not function correctly.
Chapter 6 Traffic Policy Source Interface connected to the Internet (requests from the Internet will arrive on this interface). Destination The WinRoute host labelled as Firewall, which represents all IP addresses bound to the firewall host. This service will be available at all addresses of the interface connected to the Internet. To make the service available at a particular IP address, use the Host option and specify the IP address. Service Services to be available.
6.4 Basic Traffic Rule Types Multihoming Multihoming is a term used for situations when one network interface connected to the Internet uses multiple public IP addresses. Typically, multiple services are available through individual IP addresses (this implies that the services are mutually independent). Example: In the local network a web server web1 with IP address 192.168.1.100 and a web server web2 with IP address 192.168.1.200 are running in the local network.
Chapter 6 Traffic Policy as all traffic that would not meet these requirements will be blocked by the default "catch all" rule. Other methods of Internet access limitations can be found in the Exceptions section (see below). Note: Rules mentioned in these examples can be also used if WinRoute is intended as a neutral router (no address translation) — in the Translation entry there will be no translations defined. 1. Allow access to selected services only.
6.4 Basic Traffic Rule Types Alternatively you can define the rule to allow only authenticated users to access specific services. Any user that has a user account in WinRoute will be allowed to access the Internet after authenticating to the firewall. Firewall administrators can easily monitor which services and which pages are opened by each user (it is not possible to connect anonymously). Figure 6.
Chapter 6 Traffic Policy 112
Chapter 7 Bandwidth Limiter The main problem of shared Internet connection is when one or more users download or upload big volume of data and occupy great part of the line connected to the Internet (so called bandwidth). The other users are ten limited by slower Internet connection or also may be affected by failures of certain services (e.g. if the maximal response time is exceeded).
Chapter 7 Bandwidth Limiter 7.2 Bandwidth Limiter configuration The Bandwidth Limiter parameters can be set under Configuration → Bandwidth Limiter. Figure 7.1 Bandwidth Limiter configuration The Bandwidth Limiter module enables to define reduction of speed of incoming traffic (i.e. from the Internet to the local network) and of outgoing data (i.e. from the local network to the Internet) for transmissions of big data volumes and for users with their quota exceeded.
7.2 Bandwidth Limiter configuration Tests have discovered that the optimal usage of the Internet line capacity is reached if the value is set to approximately 90 per cent of the bandwidth. It the values are higher, the bandwidth limiter is not effective (not enough speed is reserved for other connections and services if too much big data volumes are transferred). If they are lower, full line capacity is often not employed.
Chapter 7 Bandwidth Limiter Figure 7.2 Bandwidth Limiter — network services • Apply to all services — the limits will be applied to all traffic between the local network and the Internet. • Apply to the selected services only — the limits will apply only to the selected network services. Traffic performed by other services is not limited.
7.2 Bandwidth Limiter configuration Figure 7.3 Figure 7.4 Bandwidth Limiter — selection of network services Bandwidth Limiter — IP Addresses and Time Interval At the top of the Constraints tab, select a method how bandwidth will be applied to IP addresses and define the IP address group: • Apply to all traffic — the IP address group specification is inactive it is irrelevant.
Chapter 7 Bandwidth Limiter group. The other traffic will not be limited. • Apply to all except the selected address group — the bandwidth limiter will not be applied if at least one IP address involved in a connection belongs to the address group. Any other traffic will be limited. In the lower section of the Constraints tab, a time range within which the bandwidth would be limited can be set. Click Edit to edit the selected interval or to create a new one (details in chapter 12.2).
7.3 Detection of connections with large data volume transferred data volumes in longer intervals. Large data volume transfers typically uses the method where the data flow continuously with minimal intervals between the transfer impulses. Two basic parameters are tested in each connection: volume of transferred data and duration of the longest idle interval.
Chapter 7 Bandwidth Limiter 3. The connection shown at figure 7.8 transfers 100 KB of data before a 6 sec idleness interval. For this reason, the counter of transferred data is set to zero. Other three blocks of data of 100 KB are then transmitted. When the third block of data is transferred, only 200 KB of transmitted data are recorded at the counter (since the last long idleness interval).
Chapter 8 User Authentication WinRoute allows administrators to monitor connections (packet, connection, Web pages or FTP objects and command filtering) related to each user. The username in each filtering rule represents the IP address of the host(s) from which the user is connected (i.e. all hosts the user is currently connected from). This implies that a user group represents all IP addresses its members are currently connected from.
Chapter 8 User Authentication traffic coming from the particular host is detected, WinRoute assumes that it is currently used by the particular user , and the user is considered being authenticated from the IP address. However, users may authenticate from other hosts (using the methods described above). IP addresses for automatic authentication can be set during definition of user account (see chapter 13.1).
8.1 Firewall User Authentication Redirection to the authentication page If the Always require users to be authenticated when accessing web pages option is enabled, user authentication will be required for access to any website (unless the user is already authenticated).
Chapter 8 User Authentication method is not available for other operating systems. For details, refer to chapter 23.3. Automatically logout users when they are inactive Timeout is a time interval (in minutes) of allowed user inactivity. When this period expires, the user is automatically logged out from the firewall. The default timeout value is 120 minutes (2 hours). This situation often comes up when a user forgets to logout from the firewall.
Chapter 9 Web Interface WinRoute contains a special Web server that can be used for several purposes, such as an interface for user authentication and setting of certain user account parameters. This Web server is available over SSL or using standard HTTP with no encryption (both versions include identical pages). Use the following URL (’server’ refers to the name or IP of the WinRoute host, 4080 represents a standard HTTP interface port) to open the unsecured version of the web interface.
Chapter 9 Web Interface Figure 9.1 Configuration of WinRoute’s Web Interface Enable secured Web Interface (HTTPS) Use this option to open the secured version (HTTPS) of the Web interface The default port for this interface is 4081. WinRoute server name Server DNS name that will be used for purposes of the Web interface (e.g. server.company.com). The name need not be necessarily identical with the host name, however, there must exist an appropriate entry in DNS for proper name resolution.
9.1 Web Interface Parameters Configuration Advanced parameters for the Web interface can be set upon clicking on the Advanced button. Configuration of ports of the Web Interface Use the TCP ports section to set ports for unencrypted and encrypted versions of the Web interface (default ports are 4080 for the unencrypted and 4081 for the encrypted version of the Web interface). Figure 9.
Chapter 9 Web Interface SSL Certificate for the Web Interface The principle of an encrypted WinRoute Web interface is based on the fact that all communication between the client and server is encrypted to protect it from wiretapping and misuse of the transmitted data. The SSL protocol uses an asymmetric encryption first to facilitate exchange of the symmetric encryption key which will be later used to encrypt the transmitted data.
9.1 Web Interface Parameters Configuration Figure 9.3 Figure 9.4 SSL certificate of WinRoute’s Web interface Creating a new “self-signed” certificate for WinRoute’s Web interface Click on the OK button to view the Server SSL certificate dialog. The certificate will be started automatically (you will not need to restart your operating system). When created, the certificate is saved as server.crt and the corresponding private key as server.key. A new (self-signed) certificate is unique.
Chapter 9 Web Interface of your server is guaranteed by it. Clients will be warned only about the fact that the certificate was not issued by a trustworthy certification authority. However, they can install the certificate in the browser without worrying since they are aware of who and why created the certificate. Secure communication is then ensured for them and no warning will be displayed again because your certificate has all it needs.
9.2 Login/logout page Figure 9.5 Login page of the firewall’s Web interface • User from the local database — the name must be specified without the domain (e.g. admin), • Primary domain — missing domain is acceptable in the name specification (e.g. jsmith), but it is also possible to include the domain (e.g. jsmith@company.com), • Other domains — the name specified must include the domain (e.g. drdolittle@usoffice.company.com).
Chapter 9 Web Interface (see chapter 9.3). Log out Once finished with activities where authentication is required, it is recommended to log out of the firewall by using the Logout button. It is important to log out especially when multiple users work at the same host. If a user doesn’t log out of the firewall, their identity might be misused easily.
9.3 Status information and user statistics Authenticated user connecting to the web interface can continue their work in the interface after entering their password. If a new user attempts to connect to the web interface, the connected user must log out first and then the new user is asked to authenticate by username and password. 9.
Chapter 9 Web Interface Figure 9.8 Current web restrictions and rules To learn more details about restriction rules for accessing Web pages refer to chapter 10.2. 9.4 User preferences The Preferences tab allows setting of custom web content filtering and user password. The upper section of the page enables to permit or deny particular items of web pages. Content filter options If the checkbox under a filter is enabled, this feature will be available (it will not be blocked by the firewall).
9.4 User preferences Figure 9.9 Customized Web objects filtering This option will block the window.open() method in JavaScript. • Cross-domain referrer — blocking of the Referrer items in HTTP headers. This item includes pages that have been viewed prior to the current page. The Cross-domain referrer option blocks the Referrer item in case this item does not match the required server name.
Chapter 9 Web Interface Figure 9.
Chapter 10 HTTP and FTP filtering WinRoute provides a wide range of features to filter traffic using HTTP and FTP protocols. These protocols are the most spread and the most used in the Internet. Here are the main purposes of HTTP and FTP content filtering: • to block access to undesirable Web sites (i.e. pages that do not relate to employees’ work) • to block certain types of files (i.e.
Chapter 10 HTTP and FTP filtering Note: WinRoute provides only tools for filtering and access limitations. Decisions on which websites and files will be blocked must be made by the administrator (or another qualified person). 10.1 Conditions for HTTP and FTP filtering For HTTP and FTP content filtering, the following conditions must be met: 1. Traffic must be controlled by an appropriate protocol inspector.
10.2 URL Rules Figure 10.1 URL Rules and block access to other web pages, a rule denying access to any URL must be placed at the end of the rule list. The following items (columns) can be available in the URL Rules tab: • Description — description of a particular rule (for reference only). You can use the checking box next to the description to enable/disable the rule (for example, for a certain time).
Chapter 10 HTTP and FTP filtering Note: The default WinRoute installation includes several predefined URL rules. These rules are disabled by default. These rules are available to the WinRoute administrators. URL Rules Definition To create a new rule, select a rule after which the new rule will be added, and click Add. You can later use the arrow buttons to reorder the rule list. Use the Add button to open a dialog for creating a new rule. Figure 10.
10.2 URL Rules Open the General tab to set general rules and actions to be taken. Description Description of the rule (information for the administrator). If user accessing the URL is Select which users this rule will be applied on: • any user — for all users (no authentication required). selected user(s) — for selected users or/and user groups who have authenticated to the firewall. Notes: 1. It is often desired that the firewall requires user authentication before letting them open a web page.
Chapter 10 HTTP and FTP filtering Warning: If access to servers specified by IP addresses is not denied, users can bypass URL rules where servers are specified by names. Action Selection of an action that will be taken whenever a user accesses a URL meeting a rule: • Allow access to the Web site • Deny access to the Web site — requested page will be blocked. The user will be informed that the access is denied or a blank page will be displayed (according to settings in the Advanced tab — see below).
10.2 URL Rules Valid at time interval Selection of the time interval during which the rule will be valid (apart from this interval the rule will be ignored). Use the Edit button to edit time intervals (for details see chapter 12.2). Valid for IP address group Selection of IP address group on which the rule will be applied. Client (source) addresses are considered. Use the Any option to make the rule independent of clients. Click on the Edit button to edit IP groups (for details see chapter 12.1).
Chapter 10 HTTP and FTP filtering Open the Content Rules tab (in the HTTP Rules section) to specify details for content filter rules. Parameters on this tab can be modified only for rules where the Allow access to the Web site option is enabled. Figure 10.4 Options for Websites with content meeting a URL rule WWW content scanning options In this section you can define advanced parameters for filtering of objects contained in Web pages which meet the particular rule (for details refer to chapter 10.3).
10.2 URL Rules HTTP Inspection Advanced Options Click on the Advanced button in the HTTP Policy tab to open a dialog where parameters for the HTTP inspection module can be set. Figure 10.5 HTTP protocol inspector settings Use the Enable HTTP Log and Enable Web Log options to enable/disable logging of HTTP queries (opened web pages) to the HTTP log (see chapter 20.10) and to the Web log (refer to chapter 20.14). Log format can be chosen for the Enable HTTP Log item: Apache access log (http://www.apache.
Chapter 10 HTTP and FTP filtering 10.3 Global rules for Web elements In WinRoute you can also block certain features contained in HTML pages. Typical undesirable items are ActiveX objects (they might enable starting of applications on client hosts) and pop-up windows (automatically opened browser windows, usually used for advert purposes). To define content global filtering rules go to the Content Rules tab in the Configuration → Content Filtering → HTTP Policy section.
10.4 Content Rating System (ISS OrangeWeb Filter) Allow HTML JavaScript pop-up windows Automatic opening of new browser windows — usually pop-up windows with advertisements. This option enables/blocks the window.open() method in scripts Allow
Chapter 10 HTTP and FTP filtering Upon startup of the WinRoute Engine, access to the database server is checked (this process is called activation). This activation is refreshed regularly. If the line is hung up while the activation is being started and refreshed, the activation is not started and the ISS OrangeWeb Filter module will not work.
10.4 Content Rating System (ISS OrangeWeb Filter) Enable ISS OrangeWeb Filter use this option to enable/disable the ISS OrangeWeb Filter module for classification of websites. If ISS OrangeWeb Filter is disabled: • the other options in the ISS OrangeWeb Filter tab are not available, • all URL rules which use the ISS OrangeWeb Filter classification are disabled (for details, refer to chapter 10.4).
Chapter 10 HTTP and FTP filtering the following rule has been defined in the URL Rules tab in Configuration → Content Filtering → HTTP Rules: Figure 10.8 ISS OrangeWeb Filter rule The is rated by ISS OrangeWeb Filter rating system is considered the key parameter. The URL of each opened page will be rated by the ISS OrangeWeb Filter module. Access to each page matching with a rating category included in the database will be denied.
10.5 Web content filtering by word occurrence Figure 10.9 ISS OrangeWeb Filter categories Notes: 1. Use the Check button to check all items included in the selected category. You can uncheck all items in the category by clicking Uncheck. 2. We recommend you to unlock rules that use the ISS OrangeWeb Filter rating system (the Users can Unlock this rule option in the Advanced tab). This option will allow users to unlock pages blocked for incorrect classification. 10.
Chapter 10 HTTP and FTP filtering Warning: Definition of forbidden words and treshold value is ineffective unless corresponding URL rules are set! Definition of rules filtering by word occurrence First, suppose that some forbidden words have been already defined and a treshold value has been set (for details, see below).
10.5 Web content filtering by word occurrence On the Content Rules tab, check the Deny Web pages containing... option to enable filtering by word occurrence. Figure 10.11 A rule filtering web pages by word occurrence (word filtering) Word groups To define word groups go to the Word Groups tab in Configuration → Content Filtering → HTTP Policy, the Forbidden Words tab. Words are sorted into groups. This feature only makes WinRoute easier to follow.
Chapter 10 HTTP and FTP filtering Figure 10.12 Groups of forbidden words page). If the total weight of the tested page exceeds this limit, access to the page will be denied (each word is counted only once, regardless of the count of individual words). Definition of forbidden words Use the Add button to add a new word into a group or to create a new group. Figure 10.
10.6 FTP Policy Group Selection of a group to which the word will be included. You can also add a new name to create a new group. Keyword Forbidden word that is to be scanned for Weight Word weight (affects decision about the page denial) Description A comment on the word or group. 10.6 FTP Policy To define rules for access to FTP servers go to Configuration → Content Filtering → FTP Rules. Figure 10.
Chapter 10 HTTP and FTP filtering If undesirable, this rule can be disabled. This is not recommended as it might jeopardize scanning reliability. However, there is a more secure way to limit this behavior: create a rule which will allow unlimited connections to a particular FTP server. The rule will take effect only if it is placed before the Resume rule. For details on antivirus scan of FTP protocol, refer to chapter 11.3.
10.6 FTP Policy Figure 10.15 FTP Rule — basic parameters Warning: Rules are disabled unless a corresponding IP address is found! • IP address from group — selection of IP addresses of FTP servers that will be either denied or allowed. Click on the Edit button to edit IP groups (for details see chapter 12.1).
Chapter 10 HTTP and FTP filtering (see chapter 20.9). Go to the Advanced tab to define other conditions that must be met for the rule to be applied and to set advanced options for FTP communication. Figure 10.16 FTP Rule — advanced settings Valid at time interval Selection of the time interval during which the rule will be valid (apart from this interval the rule will be ignored). Use the Edit button to edit time intervals (for details see chapter 12.2).
10.6 FTP Policy If any of these options is chosen, you can specify names of files on which the rule will be applied using the File name entry. Wildcard matching can be used to specify a file name (i.e. *.exe for executables).
Chapter 11 Antivirus control WinRoute provides antivirus check of objects (files) transmitted by HTTP, FTP, SMTP and POP3 protocols. In case of HTTP and FTP protocols, the WinRoute administrator can specify which types of objects will be scanned. WinRoute is also distributed in a special version which includes integrated McAfee antivirus. Besides the integrated antivirus, WinRoute supports several antivirus programs developed by various companies, such as Eset Software, Grisoft, F-Secure, etc.).
11.1 Conditions and limitations of antivirus scan (see chapter 12.3). This implies that the antivirus check is limited by the following factors: • Antivirus check cannot be used if the traffic is transferred by a secured channel (SSL/TLS). In such a case, it is not possible to decipher traffic and separate transferred objects. • Within email antivirus scanning (SMTP and POP3 protocols), the firewall only removes infected attachments — it is not possible to drop entire email messages.
Chapter 11 Antivirus control 11.2 How to choose and setup antiviruses To select antiviruses and set their parameters, open the Antivirus tab in Configuration → Content Filtering → Antivirus. Ob this tab, you can select the integrated McAfee module, an external antivirus, or both. If both antiviruses are used, each transferred object (downloaded file, an email attachment, etc.) will be first checked by the integrated McAfee antivirus module and then by the other antivirus (a selected external antivirus).
11.2 How to choose and setup antiviruses Check for update every ... hours Time interval of checks for new updates of the virus database and the antivirus engine (in hours). If any new update is available, it will be downloaded automatically by WinRoute. If the update attempt fails (i.e. the server is not available), detailed information about the attempt will be logged into the Error log (refer to chapter 20.8). Each download (update) attempt sets the Last update check performed value to zero.
Chapter 11 Antivirus control External antivirus For external antivirus, enable the Use external antivirus option in the Antivirus tab and select an antivirus to be employed from the combo box. This menu provides all external antivirus programs supported in WinRoute by special plugins. Warning: External antivirus must be installed before it is set, otherwise it is not available in the combo box. It is recommended to stop the WinRoute Firewall Engine service before an antivirus installation. Figure 11.
11.2 How to choose and setup antiviruses We strongly discourage administrators from changing the default value for file size limit. In any case, do not set the value to more than 4 MB. Figure 11.5 Selecting application protocols to be scanned and setting file size limits Parameters for HTTP and FTP scanning can be set in the HTTP and FTP scanning (refer to chapter 11.3), while SMTP and POP3 scanning can be configured in the Email scanning tab (see chapter 11.4). Warning: 1.
Chapter 11 Antivirus control in WinRoute. To achieve this, disable antivirus check for SMTP protocol or define a corresponding traffic rule where no protocol inspector will be applied (see chapter 23.4). 11.3 HTTP and FTP scanning As for HTTP and FTP traffic, objects (files) of selected types are scanned. The file just transmitted is saved in a temporary file on the local disk of the firewall.
11.3 HTTP and FTP scanning Figure 11.7 Settings for HTTP and FTP scanning Infected files (files which are suspected of being infected) are saved into this directory with names which are generated automatically. Name of each file includes information about protocol, date, time and connection number used for the transmission.
Chapter 11 Antivirus control sponding user account (see chapter 13.1) and the SMTP server used for mail sending is configured correctly (refer to chapter 16.4). Note: Regardless of the fact whether the Alert the client option is used, alerts can be sent to specified addresses (e.g. addresses of network administrators) whenever a virus is detected. For details, refer to chapter 17.3.
11.3 HTTP and FTP scanning Figure 11.8 Definition of an HTTP/FTP scanning rule — this option filters out certain filenames (not entire URLs) transmitted by FTP or HTTP (e.g. *.exe, *.zip, etc.). If only an asterisk is used for the specification, the rule will apply to any file transmitted by HTTP or FTP. The other two conditions can be applied only to HTTP: • MIME type — MIME types can be specified either by complete expressions (e.g. image/jpeg) or using a wildcard matching (e.g. application/*).
Chapter 11 Antivirus control type must be added to the end of the list (the Skip all other files rule is predefined for this purpose). 11.4 Email scanning SMTP and POP3 protocols scanning settings are defined through this tab. If scanning is enabled for at least one of these protocols, all attachments of transmitted messages are scanned. Individual attachments of transmitted messages are saved in a temporary directory on the local disk. When downloaded completely, the files are scanned for viruses.
11.4 Email scanning Figure 11.9 Settings for SMTP and POP3 scanning In the Specify an action which will be taken with attachments... section, the following actions can be set for messages considered by the antivirus as infected: • Move message to quarantine — untrustworthy messages will be moved to a special directory on the WinRoute host. The WinRoute administrator can try to heal infected files and later send them to their original addressees.
Chapter 11 Antivirus control Note: Regardless of what action is set to be taken, the attachment is always removed and a warning message is attached instead. Use the TLS connections section to set firewall behavior for cases where both mail client and the server support TLS-secured SMTP or POP3 traffic. In case that TLS protocol is used, unencrypted connection is established first. Then, client and server agree on switching to the secure mode (encrypted connection).
Chapter 12 Definitions 12.1 IP Address Groups IP groups are used for simple access to certain services (e.g. WinRoute’s remote administration, Web server located in the local network available from the Internet, etc.). When setting access rights a group name is used. The group itself can contain any combination of computers (IP addresses), IP address ranges, subnets or other groups.
Chapter 12 Definitions Figure 12.2 IP group definition Name The name of the group. Add a new name to create a new group. Insert the group name to add a new item to an existent group. Type Type of the new item: • • • • Host (IP address or DNS name of a particular host) Network / Mask (subnet with a corresponding mask) Network / Range (IP range) Address group (another group of IP addresses — groups can be cascaded) IP address, Mask... Parameters of the new item (related to the selected type).
12.2 Time Intervals Using time ranges you can also set dial-up parameters — see chapter 5.1. To define time ranges go to Configuration → Definitions → Time Ranges. Figure 12.
Chapter 12 Definitions Figure 12.4 Time range definition Time Interval Type Time range type: Daily, Weekly or Absolute. The last type refers to the user defined initial and terminal date. From, To The beginning and the end of the time range. Beginning and end hours, days or dates can be defined according to the selected time range type Valid at days Defines days when the interval will be valid.
12.3 Services 12.3 Services WinRoute services enable the administrator to define communication rules easily (by permitting or denying access to the Internet from the local network or by allowing access to the local network from the Internet). Services are defined by a communication protocol and by a port number (e.g. the HTTP service uses the TCP protocol with the port number 80). You can also match so-called protocol inspector with certain service types (for details see below).
Chapter 12 Definitions Figure 12.6 Network service definition Protocol The communication protocol used by the service. Most standard services uses the TCP or the UDP protocol, or both when they can be defined as one service with the TCP/UDP option. Other options available are ICMP and other. The other options allows protocol specification by the number in the IP packet header. Any protocol carried in IP (e.g. GRE — protocol number is 47) can be defined this way. Figure 12.
12.3 Services Source Port and Destination Port If the TCP or UDP communication protocol is used, the service is defined with its port number. In case of standard client-server types, a server is listening for connections on a particular port (the number relates to the service), whereas clients do not know their port in advance (port are assigned to clients during connection attempts).
Chapter 12 Definitions can only be used in passive mode. The FTP protocol inspector distinguishes that the FTP is active, opens the appropriate port and redirects the connection to the appropriate client in the local network. Due to this fact, users in the local network are not limited by the firewall and they can use both FTP modes (active/passive). The protocol inspector is enabled if it is set in the service definition and if the corresponding traffic is allowed.
12.4 URL Groups Figure 12.9 URL Groups Matching fields next to names can be either checked to activate or unchecked to disable. This way you can deactivate URLs with no need to remove them and to define them again. Note: The default WinRoute installation already includes a predefined URL group: • Ads/Banners common URLs of pages that contain advertisements, banners, etc. These groups are available to WinRoute administrators.
Chapter 12 Definitions Group Name of the group to which the URL will be added. This option enables the administrator to: • select a group to which the URL will be added • add a name to create a new group to which the URL will be included. URL The URL that will be added to the group. It can be specified as follows: • full address of a server, a document or a web page without protocol specification (http://) • use substrings with the special * and ? characters.
Chapter 13 User Accounts and Groups User accounts in WinRoute improve control of user access to the Internet from the local network. User accounts can be also used to access the WinRoute administration using the Administration Console. WinRoute supports several methods of user accounts and groups saving, combining them with various types of authentication, as follows: Internal user database User accounts and groups and their passwords are saved in WinRoute.
Chapter 13 User Accounts and Groups Note: This type of cooperation with Active Directory applies especially to older versions of WinRoute and makes these versions still compatible. In case of the first installation of WinRoute, it is recommended to apply transparent cooperation with Active Directory. Transparent cooperation with Active Directory (Active Directory mapping) WinRoute can use accounts and groups stored in Active Directory directly — no import to the local database is performed.
13.1 Viewing and definitions of user accounts Domain Use the Domain option to select a domain for which user accounts as well as other parameters will be defined. This item provides a list of mapped Active Directory domains (see chapter 13.4) and the local (internal) user database. Search The Search engine can be used to filter out user accounts meeting specified criteria.
Chapter 13 User Accounts and Groups local accounts. For detailed information about import of user accounts, refer to chapter 13.3. Import of accounts is recommended in case of the Windows NT domain. If Active Directory domain is used, it is recommended to use the transparent cooperation with Active Directory (domain mapping — see chapter 13.4). Accounts mapped from the Active Directory domain If any of the Active Directory domain is selected as Domain, user accounts in this domain are listed.
13.2 Local user accounts tion any longer. Under these conditions, a local user account (Admin with a blank password) will be created automatically upon the next start of the WinRoute Firewall Engine. 3. If the administration password is forgotten, contact our technical support at http://www.kerio.com/. Creating a local user account Open the User Accounts tab in the User and groups → Users section. In the Domain combo box, select Local User Database. Figure 13.
Chapter 13 User Accounts and Groups Figure 13.3 Creating a user account — basic parameters Email Address Email address of the user that alerts (see chapter 17.3) and other information (e.g.alert if a limit for data transmission is exceeded, etc.) will be sent to. A valid email address should be set for each user, otherwise some of the WinRoute features may not be used efficiently. Note: A relay server must be set in WinRoute for each user, otherwise sending of alert messages to users will not function.
13.2 Local user accounts the domain (see chapter 13.1) or they can be set especially for the corresponding account. Using a template is suitable for common accounts in the domain (common user accounts). Definition of accounts is simpler and faster, if a template is used. Individual configuration is recommended especially for accounts with special rights (e.g. WinRoute administration accounts). Usually, there are not many such accounts which means their configuration comfortable.
Chapter 13 User Accounts and Groups Figure 13.4 Creating a new user account — groups Step 3 — access rights Figure 13.
13.2 Local user accounts Each user must be assigned one of the following three levels of access rights. No access to administration The user has no rights to access the WinRoute administration. This setting is commonly used for the majority of users. Read only access to administration The user can access WinRoute. He or she can read settings and logs but cannot edit them.
Chapter 13 User Accounts and Groups HINT: Access rights can also be defined by a user account template. Step 4 — data transmission quota Figure 13.6 Creating a new user account — data transmission quota Daily and monthly limit for volume of data transferred by a user, as well as actions to be taken when the quota is exceeded, can be set in this section. Transfer quota Limit settings • Enable daily limit — daily limit parameters.
13.2 Local user accounts Quota exceed action Set actions which will be taken whenever a quota is exceeded: • Block any further traffic — the user will be allowed to continue using the opened connections, however, will not be allowed to establish new connections (i.e. to connect to another server, download a file through FTP, etc.) • Don’t block further traffic (Only limit bandwidth...) — Internet connection speed (so called bandwidth) will be limited for the user.
Chapter 13 User Accounts and Groups Figure 13.7 Creating a new user account — Web site content rules made. Users who are not allowed to override rules can enable or/and disable only features which are available for them (set in their personal configuration). HINT: Content rules can also be defined by a user account template. Step 6 — user’s IP addresses Figure 13.
13.3 Local user database: external authentication and import of accounts If a user works at a reserved workstation (i.e. this computer is not by any other user) with a fixed IP address (static or reserved at the DHCP server), the user can use automatic login from the particular IP address. This implies that whenever a connection attempt from this IP address is detected, WinRoute assumes that the connection is performed by the particular user and it does not require authentication.
Chapter 13 User Accounts and Groups Figure 13.9 Setting domains for authentication of local accounts Active Directory Use the Enable Active Directory authentication option to enable/disable user authentication at the local database in the selected Active Directory domain. The following conditions must be met to enable smooth functionality of user authentication through Active Directory: 1. The WinRoute host must be a member of this domain. 2.
13.3 Local user database: external authentication and import of accounts Automatic import of user accounts from Active Directory If Active Directory is used, automatic import of user accounts can be applied. Specific WinRoute parameters (such as access rights, content rules, data transfer quotas, etc.) can be set by using the template for the local user database (see chapter 13.1) or/and they can be defined individually for special accounts.
Chapter 13 User Accounts and Groups Note: It is not possible to combine the automatic import with Active Directory domain mapping (see chapter 13.4) as the local user database would collide with the mapped domain. If possible, it is recommended to use the Active Directory mapping alternative. Manual import of user accounts It is also possible to import special accounts to the local database from the Windows NT domain or from Active Directory.
13.4 Active Directory domains mapping Figure 13.12 Import of accounts from Active Directory 13.4 Active Directory domains mapping In WinRoute, it is possible to directly use user accounts from one or more Active Directory domain(s). This feature is called either transparent support for Active Directory or Active Directory domain(s) mapping.
Chapter 13 User Accounts and Groups If the DNS server itself is set in the operating system, the domain controller of the Active Directory must be the first item in the DNS servers list in the DNS Forwarder configuration (for details, refer to chapter 5.3). • For mapping of multiple domains: 1. The WinRoute host must be a member of one of the mapped domains. 2.
13.4 Active Directory domains mapping Figure 13.13 Figure 13.14 Active Directory domain mapping Advanced settings for access to the Active Directory • It is possible to let WinRoute connect automatically to a specified server or to search for a domain server.
Chapter 13 User Accounts and Groups able increases reliability of the connection and eliminates problems in cases when a domain controller fails. The other option (specification of a controller) is recommended for domains with one server only (speeds the process up). • Encrypted connection — to increase security of the communication with the domain server, encrypted connection can be used (thus, the traffic cannot be tapped). In such a case, encrypted connection must be enabled at the domain server.
13.4 Active Directory domains mapping One domain is always set as primary. In this domain, all user accounts where the domain is not specified, will be searched (e.g. jsmith). Users of other domains must login by username including the domain (e.g. drdolittle@usoffice.company.com). Use the Add or the Edit button to define a new domain. This dialog includes the same parameters as the Active Directory tab in administration of an only domain (see above). Notes: 1.
Chapter 13 User Accounts and Groups The following operations will be performed automatically within each conversion: • substitution of any appearance of the local account in the WinRoute configuration (in traffic rules, URL rules, FTP rules, etc.) by a corresponding account from the Active Directory domain, • removal of the account from the local user database. Accounts not selected for the conversion are kept in the local database (the collision is still reported).
13.5 User groups Figure 13.17 WinRoute user groups Search The Search engine can be used to filter out user groups meeting specified criteria. The searching is interactive — each symbol typed or deleted defines the string which is evaluated immediately and all groups including the string in either Name or Description are viewed. The icon next to the entry can be clicked to clear the filtering string and display all groups in the selected domain (if the Search entry is blank, the icon is hidden).
Chapter 13 User Accounts and Groups Name Group name (group identification). Description Group description. It has an informative purpose only and may contain any information or the field can be left empty. Step 2 — group members Figure 13.19 Creating a user group — adding user accounts to the group Using the Add and Remove buttons you can add or remove users to/from the group.
13.5 User groups Figure 13.20 Creating a user group — members’ user rights Additional rights: Users can override WWW content rules User belonging to the group can customize personal Web content filtering settings independently of the global configuration (for details see chapters 10.3 a 9.4). User can unlock URL rules This option allows its members one-shot bypassing of denial rules for blocked websites (if allowed by the corresponding URL rule — see chapter 10.2).
Chapter 13 User Accounts and Groups Users are allowed to use P2P networks The P2P Eliminator module (detection and blocking of Peer-to-Peer networks — see chapter 15.1) will not be applied to members of this group. Users are allowed to view statistics Users in this group will be allowed to view firewall statistics in the web interface (see chapter 9). Group access rights are combined with user access rights.
Chapter 14 Remote Administration and Update Checks 14.1 Setting Remote Administration Remote administration can be either permitted or denied by definition of the appropriate traffic rule. Traffic between WinRoute and Administration Console is performed by TCP and UDP protocols over port 44333. The definition can be done with the predefined service KWF Admin.
Chapter 14 Remote Administration and Update Checks HINT: The same method can be used to enable or disable remote administration of Kerio MailServer through WinRoute (the KMS Admin service can be used for this purpose). Note: Be very careful while defining traffic rules, otherwise you could block remote administration from the host you are currently working on.
14.2 Update Checking Check for new versions Use this option to enable/disable automatic checks for new versions. Checks are performed: • 2 minutes after each startup of the WinRoute Firewall Engine, • and then every 24 hours. Results of each attempted update check (successful or not) is logged into the Debug log (see chapter 20.6). Check also for beta versions Enable this option if you want WinRoute to perform also update checks for beta versions.
Chapter 14 Remote Administration and Update Checks Figure 14.
Chapter 15 Advanced security features 15.1 P2P Eliminator Peer-to-Peer (P2P) networks are world-wide distributed systems, where each node can represent both a client and a server. These networks are used for sharing of big volumes of data (this sharing is mostly illegal). DirectConnect and Kazaa are the most popular ones. In addition to illegal data distribution, utilization of P2P networks overload lines via which users are connected to the Internet.
Chapter 15 Advanced security features Figure 15.1 Detection settings and P2P Eliminator As implied by the previous description, it is not possible to block connections to particular P2P networks. P2P Eliminator enables to block connection to the Internet from particular hosts (Block all traffic for the particular user), to allow these users to connect to certain services only Allow only predefined services) or to set limit for the bandwidth (set speed limit) that can be used by P2P traffic.
15.1 P2P Eliminator If traffic of P2P network clients is not blocked, it is possible to set bandwidth limitation for P2P networks at the bottom of the P2P Eliminator tab. Internet lines are usually asymetric (the speed vary for incoming and outgoing direction); therefore, this limitation is set separately for each direction. Bandwidth limitation applies only to traffic of P2P networks, other services are not affected. Figure 15.2 Bandwidth limits applied to P2P networks Notes: 1.
Chapter 15 Advanced security features • P2P network port(s) — list of ports which are exclusively used by P2P networks. These ports are usually ports for control connections — ports (port ranges) for data sharing can be set by users themselves. You can use the P2P network port(s) entry to specify ports or port ranges. Use comas to separate individual values. • Connection count — minimal number of concurrent connections which the user must reach to run P2P networks detection.
15.2 Special Security Settings Anti-Spoofing Anti-Spoofing checks whether only packets with allowed source IP addresses are received at individual interfaces of the WinRoute host. This function protects WinRoute host from attacks from the internal network that use false IP addresses (so called spoofing). For each interface, any source IP address belonging to any network connected to the interface is correct (either directly or using other routers).
Chapter 15 Advanced security features 15.3 VPN using IPSec Protocol IPsec (IP Security Protocol) is an extended IP protocol which enables secure data transfer. It provides services similar to SSL/TLS, however, these services are provided on a network layer. IPSec can be used for creation of encrypted tunnels between networks (VPN) — so called tunnel mode, or for encryption of traffic between two hosts— so called transport mode. WinRoute includes so called IPSec pass-through.
15.3 VPN using IPSec Protocol WinRoute’s IPSec configuration Generally, communication through IPSec must be permitted by firewall policy (for details refer to chapter 6.3). IPSec protocol uses two traffic channels: • IKE (Internet Key Exchange — exchange of encryption keys and other information).
Chapter 15 Advanced security features The Translation column must be blank — no IP translation is performed. The passthrough setting is not important in this case (it cannot be applied). 2.
15.3 VPN using IPSec Protocol IPSec server in local network An IPSec server on a host in the local network or on the WinRoute host must be mapped from the Internet. In this case, traffic between Internet clients and the WinRoute host must be permitted by a traffic rule and mapping to a corresponding host in the local network must be set. Warning: Only a single IPSec server can be mapped from the public IP address of the firewall.
Chapter 16 Other settings 16.1 Routing table Using Administration Console you can view or edit the system routing table of the host where WinRoute is running. This can be useful especially to resolve routing problems remotely (it is not necessary to use applications for terminal access, remote desktop, etc.). To view or modify the routing table go to Configuration → Routing Table.
16.1 Routing table Route Types The following route types are used in the WinRoute routing table: • System routes — routes downloaded from the operating system’s routing table (including so called persistent routes). These routes cannot be edited some of them can be removed — see the Removing routes from the Routing Table section). • Static routes — manually defined routes managed by WinRoute (see below). These routes can be added, modified and/or removed.
Chapter 16 Other settings Definitions of Dynamic and Static Rules Click on the Add (or Edit when a particular route is selected) button to display a dialog for route definition. Figure 16.2 Adding a route to the routing table Network, Network Mask IP address and mask of the destination network. Interface Selection of an interface through which the specific packet should be forwarded. Gateway IP address of the gateway (router) which can route to the destination network.
16.2 Demand Dial If this option is not enabled, the route will be valid only until the operating system is restarted or until removed manually in the Administration Console or using the route command. Removing routes from the Routing Table Using the Remove button in the WinRoute admin console, records can be removed from the routing table. The following rules are used for route removal: • Static routes in the Static Routes folder are managed by WinRoute.
Chapter 16 Other settings Second, there must be no default gateway in the operating system (no default gateway must be defined for any network adapter). This condition does not apply to the dial-up line which is used for the Internet connection — this line will be configured in accordance with information provided by the ISP. If WinRoute receives a packet from the local network, it will compare it with the system routing table.
16.2 Demand Dial Technical Peculiarities and Limitations Demand dialing has its peculiarities and limitations. The limitations should be considered especially within designing and configuration of the network that will use WinRoute for connection and of the dial-up connected to the Internet. 1. Demand dial cannot be performed directly from the host where WinRoute is installed because it is initiated by WinRoute low-lever driver.
Chapter 16 Other settings is performed according to special types of DNS requests. Microsoft DNS server does not support automatic dialing. Moreover, it cannot be used at the same host as DNS Forwarder as it would cause collision of ports. As understood from the facts above, if the Internet connection is to be available via dial-up, WinRoute cannot be used at the same host where Windows 2000 server Active Directory and Microsoft DNS are running. 4.
16.2 Demand Dial Figure 16.3 Demand dial rules (for responses to DNS queries) In this section you can create a rule list of DNS names. Either whole DNS name or only its end or beginning completed by an asterisk (*) may be entered. An asterisk may stand for any number of characters. In Actions you can select from the Dial or Ignore options. Use the second option to block dialing of the line in response to a query on the DNS name.
Chapter 16 Other settings 16.3 Universal Plug-and-Play (UPnP) WinRoute supports UPnP protocol (Universal Plug-and-Play). This protocol enables client applications (i.e. Microsoft MSN Messenger) to detect the firewall and make a request for mapping of appropriate ports from the Internet for the particular host in the local network. Such mapping is always temporary — it is either applied until ports are released by the application (using UPnP reports) or until expiration of the timeout.
16.4 Relay SMTP server UPnP also enables the application to open ports for a requested period. Here the Port mapping timeout parameter also represents a maximal time period that the port will be available to an application (even if the application demands a longer period, the period is automatically reduced to this value). Log packets If this option is enabled, all packets passing through ports mapped with UPnP will be recorded in the Security log (see chapter 20.11)).
Chapter 16 Other settings Figure 16.6 SMTP settings — reports sending Server Name or IP address of the server. Note: If available, we recommend you to use an SMTP server within the local network (messages sent by WinRoute are often addressed to local users). SMTP requires authentication Enable this option to require authentication through username and password at the specified SMTP server. Specify sender email address in “From” header In this option you can specify a sender’s email address (i.e.
16.4 Relay SMTP server Warning: 1. If SMTP is specified by a DNS name, it cannot be used until WinRoute resolves a corresponding IP address (by a DNS query). The IP address of specified SMTP server cannot be resolved warning message is displayed in the SMTP Relay tab until the IP address is not found. If the warning is still displayed, this implies that an invalid (non-existent) DNS name is specified or the DNS server does not respond.
Chapter 17 Status Information WinRoute activities can be well monitored by the administrator (or by other users with appropriate rights). There are three types of information — status monitoring, statistics and logs. • Communication of each computer, users connected or all connections using WinRoute can be monitored. Notes: 1. WinRoute monitors only traffic between the local network and the Internet. The traffic within the local network is not monitored. 2.
17.1 Active hosts and connected users Figure 17.1 List of active hosts and users connected to the firewall The following information can be found in the Active Hosts window: Hostname DNS name of a host. In case that no corresponding DNS record is found, IP address is displayed instead. User Name of the user which is connected from a particular host. If no user is connected, the item is empty.
Chapter 17 Status Information Start time Date and time when the host was first acknowledged by WinRoute. This information is kept in the operating system until the WinRoute Firewall Engine disconnected. Total received, Total transmitted Total size of the data (in kilobytes) received and transmitted since the Start time Connections Total number of connections to and from the host.
17.1 Active hosts and connected users Figure 17.2 Context menu for the Active Hosts window Refresh This option refreshes information in the Active Hosts window immediately (this function is equal to the Refresh button displayed at the bottom of the window). Auto refresh Settings for automatic refreshing of the information in the Active Hosts window. Information can be refreshed in the interval from 5 seconds up to 1 minute or the auto refresh function can be switched off (No refresh).
Chapter 17 Status Information Figure 17.3 Information about selected host/user — actions overview Figure 17.4 Host info (if no user is connected from it) • Host — DNS name (if available) and IP address of the host • Idle time — time for which no network activity performed by the host has been detected Traffic information Information on size of data received (Download) and sent (Upload) by the particular user (or host) and on current speed of traffic in both directions.
17.1 Active hosts and connected users Activity Description Detailed information on a particular activity: • WWW — title of a Web page to which the user is connected (if no title is available, URL will be displayed instead). Page title is a hypertext link — click on this link to open a corresponding page in the browser which is set as default in the operating system. • SMTP, POP3 — DNS name or IP address of the server, size of downloaded/uploaded data.
Chapter 17 Status Information Information about connections: Traffic rule Name of the WinRoute traffic rule (see chapter 6) by which the connection was allowed. Service Name of the service. For non-standard services, port numbers and protocols are displayed. Source, Destination Source and destination IP address (or name of the host in case that the Show DNS names option is enabled —see below). The following columns are hidden by default.
17.1 Active hosts and connected users Histogram The Histogram tab provides information on data volume transferred from and to the selected host in a selected time period. The chart provides information on the load of this host’s traffic on the Internet line through the day. Figure 17.6 Information on selected host and user — traffic histogram Select an item from the Time interval combo box to specify a time period which the chart will refer to (2 hours or 1 day).
Chapter 17 Status Information 17.
17.2 Show connections related to the selected process One connection is represented by each line of the Connections window. These are network connections, not user connections (each client program can occupy more than one connection at a given moment). The columns contain the following information: Traffic rule Name of the WinRoute traffic rule (see chapter 6) by which the connection was allowed. Service Name of transmitted service (if such service is defined in WinRoute — see chapter 12.3).
Chapter 17 Status Information Options of the Connections Dialog The following options are available below the list of connections: • Hide local connections — connections from or/and to the WinRoute host will not be displayed in the Connections window. This option only makes the list better-arranged and distinguishes connections of other hosts in the local network from the WinRoute host’s connections. • Show DNS names — this option displays DNS names instead of IP addresses.
17.2 Show connections related to the selected process Manage Columns By choosing this option you can select which columns will be displayed in the Connections window (see chapter 3.2). Color Settings Clicking on the Colors button displays the color settings dialog to define colors for each connection: Figure 17.9 Connection colors settings For each item either a color or the Default option can be chosen.
Chapter 17 Status Information Note: Incoming and outgoing connections are distinguished by detection of direction of IP addresses — “out” (SNAT ) or “in” (DNAT ). For details, refer to chapter 6. 17.3 Alerts WinRoute enables automatic sending of messages informing the administrator about important events.
17.3 Alerts Figure 17.11 Alert Definitions alert Type of the event upon which the alert will be sent: • Virus detected — antivirus engine has detected a virus in a file transmitted by HTTP, FTP, SMTP or POP3 (refer to chapter 11). • Portscan detected — WinRoute has detected a port scanning attack (either an attack passing through or an attack addressed to the WinRoute host). • Host connection limit reached — a host in the local network has reached the connection limit (see chapter 15.2).
Chapter 17 Status Information was switched to a secondary line, or vice versa (it was switched back to the primary line). For details, refer to chapter 5.2. • License expiration — expiration date for the corresponding WinRoute license/subscription (or license of any module integrated in WinRoute, such as ISS OrangeWeb Filter, the McAfee antivirus, etc.) is getting closer.
17.
Chapter 17 Status Information Each line provides information on one alert: • Date — date and time of the event, • Alert — event type, • Details — basic information on events (IP address, username, virus name, etc.). Click an event to view detailed information on the item including a text description (defined by templates under console\details — see above) in the bottom section of the window. Figure 17.
Chapter 18 Basic statistics Statistical information about users (volume of transmitted data, used services, categorization of web pages) as well as of network interfaces of the WinRoute host (volume of transmitted data, load on individual lines) can be viewed in WinRoute. In the Administration Console, it is possible to view basic user statistics (volume of transferred data and quota usage information) and statistics of network interfaces (transferred data, traffic charts).
Chapter 18 Basic statistics Optionally, other columns providing information on volume of data transmitted in individual time periods in both directions can be displayed. Direction of data transmission is related to the interface (the IN direction stands for data received by the interface, while OUT represents data sent from the interface). Example: The WinRoute host connects to the Internet through the Public interface and the local network is connected to the LAN interface.
18.1 Interface statistics Auto refresh Settings for automatic refreshing of the information on the Interface Statistics tab. Information can be refreshed in the interval from 5 seconds up to 1 minute or the auto refresh function can be switched off (No refresh). Manage Columns Use this option to select and unselect items (columns) which will (not) be displayed in the table (see chapter 3.2). Remove interface statistics This option removes the selected interface from the statistics.
Chapter 18 Basic statistics The period (2 hours or 1 day) can be selected in the Time interval box. The selected time range is always understood as the time until now (“last 2 hours” or “last 24 hours”). The x axis of the chart represents time and the y axis represents traffic speed. The x axis is measured accordingly to a selected time period, while measurement of the y axis depends on the maximal value of the time interval and is set automatically (bytes per second is the basic measure unit — B/s).
18.2 User Statistics — data volumes and quotas Figure 18.4 User statistics Notes: 1. Optionally, other columns providing information on volume of data transmitted in individual time periods in both directions can be displayed. Direction of data transmission is related to the user (the IN direction stands for data received by the user, while OUT represents data sent by the user). 2. User statistics are saved in the stats.cfg file under the WinRoute directory.
Chapter 18 Basic statistics Reset user statistics This option resets statistics of the selected user. Warning: Be aware that using this option for the all users item resets statistics of all users, including unrecognized ones! Note: Values in the statistics are also used for user traffic quota purposes (see chapter 13.1). Reset of user statistics also unblocks traffic of the particular user in case that the traffic has been blocked for quota reasons.
Chapter 19 Kerio StaR — statistics and reporting The WinRoute’s web interface provides detailed statistics on users, volume of transferred data, visited websites and web categories. This information may help figure out browsing activities and habits of individual users. The statistics monitor the traffic between the local network and the Internet. Volumes of data transferred between local hosts and visited web pages located on local servers are not included in the statistics (also for technical reasons).
Chapter 19 Kerio StaR — statistics and reporting Note: Data in the database used for statistics cannot be removed manually (such action would be meaningless). In statistics, it is possible to switch into another view mode where data is related only to a period we need to be informed about. If you do not wish to keep older data, it is possible to change the statistics storage period (see above).
19.2 Settings for statistics and quota Figure 19.1 Statistics and transferred data quota settings Enable/disable gathering of statistic data The Gather Internet Usage statistics option enables/disables all statistics (i.e. stops gathering of data for statistics). You can use the Keep at most... option to specify a time period for which the data will be kept (i.e. the age of the oldest data that will be available). This option affects disk space needed for the statistics remarkably.
Chapter 19 Kerio StaR — statistics and reporting Figure 19.2 Kerio StaR advanced options The Show user names in statistics by... option enables select a mode of how users and their names will be displayed in individual user statistics. Full names can be displayed as first name second name or second name, first name. Optionally, it is also possible to view full names followed by username without or with domain (if Active Directory mapping is used).
19.3 Connection to StaR and viewing statistics Statistics and quota accounting periods Accounting period is a time period within which information of transferred data volume and other information is gathered. Statistics enable generating of weekly and monthly overviews. In Accounting Periods, it is possible to define starting days for weekly and monthly periods (for example, in statistics, a month can start on day 15 of the civil month and end on day 14 of the following civil month).
Chapter 19 Kerio StaR — statistics and reporting Note: URL for this link consists of the name of the server and of the port of the secured Web interface defined in the configuration (see chapter 9.1). This guarantees function of the link from the WinRoute host and from the local network.
19.4 Accounting period • Users by Traffic — table and chart for volumes of data transferred by individual users. • Visited Sites — overview of the ten most frequently visited web domains. A chart and table of top users having visited the greatest number of web pages of the domain is provided. • Web Categories — the top ten most frequently visited web categories (in accordance with the ISS OrangeWeb Filter’s categorization).
Chapter 19 Kerio StaR — statistics and reporting Select an item in the Period length combo box (day, week, month). Further options are displayed depending on which option has been selected. Note: Weeks and months might not correspond with weeks and months of the civil calendar. In configuration of statistics (see chapter 19.2), it is possible to set so called accounting period — starting day of a month and the first day in a week. Changes in these settings affect only new data.
19.5 Overall View 19.5 Overall View The Overall tab provides overall statistics for all users within the local network (including anonymous, i.e. unauthenticated users) for the selected accounting period. Traffic by periods The first chart provides information on the volume of data transferred in individual subperiods of the selected period. The table next to the chart informs on data volumes transferred in the entire selected period (total and for both directions as well).
Chapter 19 Kerio StaR — statistics and reporting Figure 19.7 Chart of top visited web domains cannot be precise, though the approximation is very good. Top Requested Web Categories This chart shows top five web categories requested in the selected period sorted by the ISS OrangeWeb Filter module. The number in the chart refers to total number of HTTP requests included in the particular category.
19.5 Overall View Figure 19.9 Top 5 users statistics Firewall is a special user account including data transferred from and to the WinRoute host. However, whenever a particular user connects to the firewall, the data transferred are accounted in statistics of this user. 3. Data transferred by unauthenticated users is summed and accounted as the not logged in user. However, this information is not very useful and, therefore, it is recommended to set firewall to always require authentication.
Chapter 19 Kerio StaR — statistics and reporting Figure 19.10 Parts of individual protocols in the total volume of transferred data • E-mail — SMTP, IMAP, POP3 protocols (and their secured versions), • FTP — FTP protocol (including traffic over proxy server), • Multimedia — protocols enabling real-time transmission of sound and video files (e.g. RTSP, MMS, RealAudio), • P2P — file-sharing protocols (peer-to-peer — e.g. DirectConnect, BitTorrent, eDonkey, etc.).
19.6 User statistics Figure 19.11 Selection of a new time period for website statistics 19.6 User statistics The Individual tab allows showing of statistics for a selected user. First, select a user in the Select User menu. The menu includes all users for which any statistic data is available in the database — i.e. users which were active in the selected period (see chapter 19.2). Figure 19.
Chapter 19 Kerio StaR — statistics and reporting • top requested web categories, • used protocols and their part in the total volume of transferred data, For detail information on individual statistic sections, see chapter 19.5. 19.7 Users by Traffic The Users by Traffic section shows table of all users sorted by volume of transferred data. The table provides an information of part of the user in the total volume of the transferred data. Figure 19.
19.8 Top Visited Websites 19.8 Top Visited Websites The Visited Sites tab includes statistics for the top ten most frequently visited web domains. These statistics provide for example the following information: • which sites (domains) are visited by the users regularly, • which users are the most active in web browsing, The chart on the left of the tab shows top ten visited web domains.
Chapter 19 Kerio StaR — statistics and reporting Figure 19.15 Top active users for the particular domain TIP: The way of users’ names are displayed in the table can be set in the Administration Console, in section Accounting, after clicking on the Advanced button (see chapter 19.2). Only full names are shown in charts (or usernames if the full name is not defined in the account of the particular user). 19.
19.9 Top Requested Web Categories Figure 19.16 Top visited websites sorted by categories The right section of the tab provides detailed statistics for each of the top ten most frequented web categories: Figure 19.
Chapter 19 Kerio StaR — statistics and reporting • The header provides name of the category and total number of requests to websites belonging to the category. • The chart shows part of the most active users (up to six items) in the total visit rate of the particular category. • The table below the chart shows the most active users sorted by number of requests to the particular web category (up to ten users).
Chapter 20 Logs Logs are files where history of certain events performed through or detected by WinRoute are recorded and kept. Each log is displayed in a window in the Logs section. Each event is represented by one record line. Each line starts with a time mark in brackets (date and time when the event took place, in seconds). This mark is followed by an information, depending on the log type. If the record includes a URL, it is displayed as a hypertext link.
Chapter 20 Logs Figure 20.1 Log settings File Logging Use the File Loggingtab to define file name and rotation parameters. Enable logging to file Use this option to enable/disable logging to file according to the File name entry (the .log extension will be appended automatically). If this option is disabled, none of the following parameters and settings will be available. Rotate regularly Set intervals in which the log will be rotated regularly.
20.1 Log settings Figure 20.2 File logging settings Syslog Logging Parameters for logging to a Syslog can be defined in the External Logging tab. Figure 20.
Chapter 20 Logs Enable Syslog logging Enable/disable logging to a Syslog server. If this option is disabled, none of the following parameters and settings will be available. Syslog server DNS name or IP address of the Syslog server. Facility Facility that will be used for the particular WinRoute log (depends on the Syslog server). Severity Severity of logged events (depends on the Syslog server). 20.
20.2 Logs Context Menu The Save log option opens a dialog box where the following optional parameters can be set: Figure 20.5 Saving a log to a file • Target file — name of the file where the log will be saved. By default, a name derived from the file name is set. The file extension is set automatically in accordance with the format selected. • Format — logs can be saved as plaintext or in HTML.
Chapter 20 Logs Encoding Coding that will be used for the log printout in Administration Console can be selected in this section. UTF-8 is used by default. HINT: Select a new encoding type if special characters are not printed correctly in non-English versions. Log debug A dialog where log parameters such as log file name, rotation and Syslog parameters can be set. These parameters can also be set in the Log settings tab under Configuration → Accounting. For details, refer to chapter 20.1.
20.2 Logs Context Menu Figure 20.6 Figure 20.7 Log highlighting settings Highlighting rule definition Note: Regular expression is such expression which allows special symbols for string definition. WinRoute accepts all regular expressions in accordance with the POSIX standard. For detailed instructions contact Kerio technical support. For detailed information, refer for example to http://www.gnu.
Chapter 20 Logs The Debug log advanced settings Special options are available in the Debug log context menu. These options are available only to users with full administration rights (see chapter 13.1).. IP Traffic This function enables monitoring of packets according to the user defined log expression. Figure 20.8 Expression for traffic monitored in the debug log The expression must be defined with special symbols.
20.3 Alert Log Figure 20.9 Selection of information monitored by the Debug log Clientless SSL-VPN , etc. 20.3 Alert Log The Alert log provides a complete history of alerts generated by WinRoute (e.g. alerts upon virus detection, dialing and hanging-up, reached quotas, detection of P2P networks, etc.). Each event in the Alert log includes a time stamp (date and time when the event was logged) and information about an alert type (in capitals). The other items depend on an alert type.
Chapter 20 Logs 20.4 Config Log The Config log stores a complete communication history between Administration Console and the WinRoute Firewall Engine — the log allows you to find out what administration actions were performed by which user, and when. The Config window contains three log types: 1. Information about user logins/logouts to/from the WinRoute’s administration Example: [18/Apr/2003 10:25:02] james - session opened for host 192.168.32.
20.5 Connection Log • insert StaticRoutes ... — the particular command used to modify the WinRoute’s configuration database (in this case, a static route was added to the routing table) 3. Other changes in configuration A typical example of this record type is the change of traffic rules. When the user hits Apply in Configuration → Traffic policy, a complete list of current traffic rules is written to the Config log.
Chapter 20 Logs • [Rule] NAT — name of the traffic rule which has been used (a rule by which the traffic was allowed or denied). • [Service] HTTP — name of a corresponding application layer service (recognized by destination port). If the corresponding service is not defined in WinRoute (refer to chapter 12.3), the [Service] item is missing in the log. • [User] james name of the user connected to the firewall from a host which participates in the traffic.
20.7 Dial Log [15/Mar/2004 15:09:27] Line "Connection" dialing, console 127.0.0.1 - Admin [15/Mar/2004 15:09:39] Line "Connection" successfully connected The first log item is reported upon initialization of dialing. The log always includes WinRoute name of the dialed line (see chapter 5.1). If the line is dialed from the Administration Console, the log provides this additional information • where the line was dialed from (console — Administration Console, • IP address of the client (i.e.
Chapter 20 Logs The first log item is recorded upon reception of a DNS request (the DNS forwarder has not found requested DNS record in its cache). The log provides: • DNS name from which IP address is being resolved, • description of the packet with the corresponding DNS query (protocol, source IP address, source port, destination IP address, destination port), • name of the line to be dialed. Another event is logged upon a successful connection (i.e.
20.8 Error Log 20.8 Error Log The Error log displays information about serious errors that affect the functionality of the entire firewall. WinRoute administrator should check this log regularly and fix detected problems as soon as possible. Otherwise, users might have problems with some services or/and serious security problems might arise.
Chapter 20 Logs • 8400-8499 — dial-up error (unable to read defined dial-up connections, line configuration error, etc.) • 8500-8599 — LDAP errors (server not found, login failed, etc.) Note: If you are not able to correct an error (or figure out what it is caused by) which is repeatedly reported in the Error log, do not hesitate to contact our technical support. For detailed information, refer to chapter 25 or to http://www.kerio.com/. 20.
20.10 Http log Example of a traffic rule log message: [16/Apr/2003 10:51:00] PERMIT ’Local traffic’ packet to LAN, proto:TCP, len:47, ip/port:195.39.55.4:41272 -> 192.168.1.
Chapter 20 Logs Notes: 1. Only accesses to allowed pages are recorded in the HTTP log. Request that were blocked by HTTP rules are logged to the Filter log (see chapter 20.9), if the Log option is enabled in the particular rule (see section 10.2). 2. The Http log is intended to be processes by external analytical tools. The Web log (see bellow) is better suited to be viewed by the WinRoute administrator. An example of Http log record that follows the Apache format: [18/Apr/2003 15:07:17] 192.168.64.
20.11 Security Log • 192.168.64.64 — IP address of the client (i.e. of the host from which the client is connected to the website) • TCP_MISS — the TCP protocol was used and the particular object was not found in the cache (“missed”). WinRoute always uses this value for this field. • 304 — return code of the HTTP protocol • 0 — transferred data amount in bytes (HTTP object size) • GET http://www.squid-cache.
Chapter 20 Logs • flags: — TCP flags • seq: — sequence number of the packet (TCP only) • ack: — acknowledgement sequence number (TCP only) • win: — size of the receive window in bytes (it is used for data flow control — TCP only) • tcplen: — TCP payload size (i.e. size of the data part of the packet) in bytes (TCP only) 2. FTP protocol parser log records Example 1: [17/Jul/2003 11:55:14] FTP: Bounce attack: attempt: client: 1.2.3.4, server: 5.6.7.
20.12 Sslvpn Log a) Engine Startup: [17/Dec/2004 12:11:33] Engine: Startup. b) Engine Shutdown: [17/Dec/2004 12:22:43] Engine: Shutdown. 20.12 Sslvpn Log In this log, operations performed in the Clientless SSL-VPN interface are recorded. Each log line provides information about an operation type, name of the user who performed it and file associated with the operation. Example: [17/Mar/2005 08:01:51] Copy File: User: jsmith@company.com File: ’\\server\data\www\index.html’ 20.
Chapter 20 Logs [15/Apr/2004 15:00:51] (3004) Authentication Kerberos 5 auth: user john@company.com not [15/Apr/2004 15:00:51] (3004) Authentication Invalid password for user admin [16/Apr/2004 10:53:20] (3004) Authentication User jsmith doesn’t exist subsystem warning: authenticated subsystem warning: subsystem warning: • The first log informs that authentication of user jsmith by the Kerberos system in the company.
20.14 Web Log Note: If the page title cannot be identified (i.e. for its content is compressed), the "Encoded content" will be reported • http://www.kerio.
Chapter 21 Kerio VPN WinRoute enables secure interconnection of remote private networks using an encrypted tunnel and it provides clients secure access to their local networks via the Internet. This method of interconnection of networks (and of access of remote clients to local networks) is called virtual private network (VPN ). WinRoute includes a proprietary implementation of VPN, called “Kerio VPN ”.
21.1 VPN Server Configuration • No collisions arise while encrypted channels through the firewall are being created. It is supposed that one or multiple firewalls (with or without NAT) are used between connected networks (or between remote clients and local networks). • No special user accounts must be created for VPN clients. User accounts in WinRoute (or domain accounts if the Active Directory is used — see chapter 8.1) are used for authentication.
Chapter 21 Kerio VPN General Figure 21.2 VPN server settings — basic parameters Enable VPN server Use this option to enable /disable VPN server. VPN server uses TCP and UDP protocols, port 4090 is used as default (the port can be changed in advanced options, however, it is usually not necessary to change it). If the VPN server is not used, it is recommended to disable it. The action will be applied upon clicking the Apply button in the Interfaces tab. IP address assignment Specification of a subnet (i.
21.1 VPN Server Configuration upon saving of the settings (by clicking Apply in the Interfaces tab). In such cases, redefine the VPN subnet. Figure 21.3 VPN server — detection of IP collision It is recommended to check whether IP collision is not reported after each change in configuration of the local network or/and of the VPN! Notes: 1. 2. 3.
Chapter 21 Kerio VPN VPN server — it is not necessary to apply for a new certificate. DNS Figure 21.4 VPN server settings — specification of DNS servers Specify a DNS server which will be used for VPN clients: • Use WinRoute as DNS server — IP address of a corresponding interface of WinRoute host will be used as a DNS server for VPN clients (VPN clients will use the DNS forwarder). If the DNS Forwarder is already used as a DNS server for local hosts, it is recommended to use it also for VPN clients.
21.1 VPN Server Configuration Figure 21.5 VPN server settings — server port and routes for VPN clients Notes: 1. 2. If the VPN server is already running, all VPN clients will be automatically disconnected during the port change. If it is not possible to run the VPN server at the specified port (the port is used by another service), the following error will be reported in the Error log (see chapter 20.
Chapter 21 Kerio VPN HINT: Use the 255.255.255.255 network mask to define a route to a certain host. This can be helpful for example when a route to a host in the demilitarized zone at the VPN server’s side is being added. 21.
21.3 Interconnection of two private networks via the Internet (VPN tunnel) If the rules are set like this, all VPN clients can access local networks and vice versa (all local hosts can communicate with all VPN clients). To restrict the type of network access available to VPN clients, special rules must be defined. A few alternatives of the restrictions settings within Kerio VPN are focused in chapter 21.5. Notes: 1.
Chapter 21 Kerio VPN Figure 21.7 VPN tunnel configuration Configuration Selection of a mode for the local end of the tunnel: • Active — this side of the tunnel will automatically attempt to establish and maintain a connection to the remote VPN server. The remote VPN server specification is required through the Remote hostname or IP address entry. If the remote VPN server does not use the port 4090, a corresponding port number separated by a colon must be specified (e.g. server.company.com:4100 or 10.10.
21.3 Interconnection of two private networks via the Internet (VPN tunnel) the tunnel). • Passive — this end of the tunnel will only listen for an incoming connection from the remote (active) side. The passive mode is only useful when the local end of the tunnel has a fixed IP address and when it is allowed to accept incoming connections. At least one end of each VPN tunnel must be switched to the active mode (passive servers cannot initialize connection).
Chapter 21 Kerio VPN DNS Settings DNS must be set properly at both sends of the tunnel so that it is possible to connect to hosts in the remote network using their DNS names. One method is to add DNS records of the hosts (to the hosts file) at each endpoint. However, this method is quite complicated and inflexible. If the DNS forwarder in WinRoute is used as the DNS server at both ends of the tunnel, DNS queries (for DNS rules, refer to chapter 5.
21.3 Interconnection of two private networks via the Internet (VPN tunnel) Figure 21.9 VPN tunnel’s routing configuration Connection establishment Active endpoints automatically attempt to recover connection whenever they detect that the corresponding tunnel has been disconnected (the first connection establishment is attempted immediately after the tunnel is defined and upon clicking the Apply button in Configuration → Interfaces, i.e. when the corresponding traffic is allowed — see below).
Chapter 21 Kerio VPN VPN tunnels can be disabled by the Disable button. Both endpoints should be disabled while the tunnel is being disabled. Note: VPN tunnels keeps their connection (by sending special packets in regular time intervals) even if no data is transmitted. This feature protects tunnels from disconnection by other firewalls or network devices between ends of tunnels.
21.4 Exchange of routing information Figure 21.11 Common traffic rules for VPN tunnel 21.4 Exchange of routing information An automatic exchange of routing information (i.e. of data informing about routes to local subnets) is performed between endpoints of any VPN tunnel (or between the VPN server and a VPN client). thus, routing tables at both sides of the tunnel are still kept updated.
Chapter 21 Kerio VPN sions, custom routes are used as prior. This option easily solves the problem where a remote endpoint provides one or more invalid route(s). • Custom routes only — all routes to remote networks must be set manually at the local endpoint of the tunnel. This alternative eliminates adding of invalid routes provided by a remote endpoint to the local routing table.
21.5 Example of Kerio VPN configuration: company with a filial office 21.5 Example of Kerio VPN configuration: company with a filial office This chapter provides a detailed exemplary description on how to create an encrypted tunnel connecting two private networks using the Kerio VPN . This example can be easily customized. The method described can be used in cases where no redundant routes arise by creating VPN tunnels (i.e. multiple routes between individual private networks).
Chapter 21 Kerio VPN 4. No restrictions are applied for connections from the headquarters to the branch office network. 5. LAN 2 is not available to the branch office network nor to VPN clients. Figure 21.12 Example — interconnection of the headquarter and a filial office by VPN tunnel (connection of VPN clients is possible) Common method The following actions must be taken in both local networks (i.e. in the main office and the filial): 1. It is necessary that WinRoute in version 6.0.
21.5 Example of Kerio VPN configuration: company with a filial office For detailed description of basic configuration of WinRoute and of the local network, refer to the Kerio WinRoute Firewall — Step By Step document. 3. In configuration of DNS Forwarder, set DNS forwarding rules for the domain in the remote network. This enables to access hosts in the remote network by using their DNS names (otherwise, it is necessary to specify remote hosts by IP addresses).
Chapter 21 Kerio VPN If a remote host is tested through IP address and it does not respond, check configuration of the traffic rules or/and find out whether the subnets do not collide (i.e. whether the same subnet is not used at both ends of the tunnel). If an IP address is tested successfully and an error is reported (Unknown host) when a corresponding DNS name is tested, then check configuration of the DNS.
21.5 Example of Kerio VPN configuration: company with a filial office In step 5, select Create rules for Kerio VPN server. Status of the Create rules for Kerio Clientless SSL-VPN option is irrelevant (this example does not include Clientless SSLVPN interface’s issues). Figure 21.14 Headquarter — creating default traffic rules for Kerio VPN This step will create rules for connection of the VPN server as well as for communication of VPN clients with the local network (through the firewall). Figure 21.
Chapter 21 Kerio VPN Figure 21.16 Headquarter — DNS forwarder configuration • Enable the Use custom forwarding option and define rules for names in the filial.company.com domain. Specify the server for DNS forwarding by the IP address of the remote firewall host’s interface (i.e. interface connected to the local network at the other end of the tunnel). Figure 21.17 Headquarter — DNS forwarding settings • Set the IP address of this interface (10.1.1.
21.5 Example of Kerio VPN configuration: company with a filial office Figure 21.18 Headquarter — TCP/IP configuration at a firewall’s interface connected to the local network 4. Enable the VPN server and configure its SSL certificate (create a self-signed certificate if no certificate provided by a certification authority is available). Note: A free subnet which has been selected is now specified automatically in the VPN network and Mask entries.
Chapter 21 Kerio VPN Figure 21.
21.5 Example of Kerio VPN configuration: company with a filial office 5. Create a passive end of the VPN tunnel (the server of the branch office uses a dynamic IP address). Specify the remote endpoint’s fingerprint by the fingerprint of the certificate of the branch office VPN server. Figure 21.20 6. Headquarter — definition of VPN tunnel for a filial office Customize traffic rules according to the restriction requirements.
Chapter 21 Kerio VPN Figure 21.21 Headquarter — final traffic rules • Create the Branch office rule which will allow connections to services in LAN 1. • Add the Company headquarters rule allowing connections from both headquarters subnets to the branch office network.. Rules defined this way meet all the restriction requirements. Traffic which will not match any of these rules will be blocked by the default rule (see chapter 6.3). Configuration of a filial office 1. Install WinRoute (version 6.0.
21.5 Example of Kerio VPN configuration: company with a filial office Figure 21.22 Filial — no restrictions are applied to accessing the Internet from the LAN Figure 21.23 A filial — it is not necessary to create rules for the Kerio VPN server Figure 21.
Chapter 21 Kerio VPN When the VPN tunnel is created, customize these rules according to the restriction requirements (Step 6). 3. Customize DNS configuration as follows: • In configuration of the DNS Forwarder in WinRoute, specify DNS servers to which DNS queries which are not addressed to the company.com domain will be forwarded (primary and secondary DNS server of the Internet connection provider by default). Figure 21.
21.5 Example of Kerio VPN configuration: company with a filial office • Set the IP address of this interface (192.168.1.1) as a primary DNS server for the WinRoute host’s interface connected to the local network. Figure 21.27 Filial office — TCP/IP configuration at a firewall’s interface connected to the local network • Set the IP address 192.168.1.1 as a primary DNS server also for the other hosts.
Chapter 21 Kerio VPN Figure 21.28 Filial office — VPN server configuration For a detailed description on the VPN server configuration, refer to chapter 21.1. 5. Create an active endpoint of the VPN tunnel which will connect to the headquarters server (newyork.company.com). Use the fingerprint of the VPN server of the headquarters as a specification of the fingerprint of the remote SSL certificate. At this point, connection should be established (i.e. the tunnel should be created).
21.5 Example of Kerio VPN configuration: company with a filial office Figure 21.29 Filial office — definition of VPN tunnel for the headquarters Figure 21.
Chapter 21 Kerio VPN Note: It is not necessary to perform any other customization of traffic rules. The required restrictions should be already set in the traffic policy at the server of the headquarters. VPN test Configuration of the VPN tunnel has been completed by now. At this point, it is recommended to test availability of the remote hosts from each end of the tunnel (from both local networks). For example, the ping or/and tracert operating system commands can be used for this testing.
21.6 Example of a more complex Kerio VPN configuration Specification The network follows the pattern shown in figure 21.31. Figure 21.31 Example of a VPN configuration — a company with two filials The server (default gateway) uses the fixed IP address 63.55.21.12 (DNS name is gw-newyork.company.com). The server of one filial uses the IP address 115.95.27.55 (DNS name gw-london.company.com), the other filial’s server uses a dynamic IP address assigned by the ISP.
Chapter 21 Kerio VPN Note: For each installation of WinRoute, a separate license for corresponding number of users is required! For details see chapter 4. 2. Configure and test connection of the local network to the Internet. Hosts in the local network must use the WinRoute host’s IP address as the default gateway and as the primary DNS server. If it is a new (clean) WinRoute installation, it is possible to use the traffic rule wizard (refer to chapter 6.1).
21.6 Example of a more complex Kerio VPN configuration If the remote endpoint of the tunnel has already been defined, check whether the tunnel was created. If not, refer to the Error log, check fingerprints of the certificates and also availability of the remote server. 6. Follow the same method to define a tunnel and set routing to the other remote network. 7. Allow traffic between the local and the remote networks.
Chapter 21 Kerio VPN Figure 21.32 Headquarters — no restrictions are applied to accessing the Internet from the LAN Figure 21.33 Headquarter — creating default traffic rules for Kerio VPN Figure 21.
21.6 Example of a more complex Kerio VPN configuration 3. Customize DNS configuration as follows: • In configuration of the DNS Forwarder in WinRoute, specify DNS servers to which DNS queries which are not addressed to the company.com domain will be forwarded (primary and secondary DNS server of the Internet connection provider by default). Figure 21.35 Headquarter — DNS forwarder configuration • Enable the Use custom forwarding option and define rules for names in the filial1.company.com and filial2.
Chapter 21 Kerio VPN • Set the IP address of this interface (10.1.1.1) as a primary DNS server for the WinRoute host’s interface connected to the LAN 1 local network. It is not necessary to set DNS at the interface connected to LAN 2. Figure 21.37 Headquarter — TCP/IP configuration at a firewall’s interface connected to the local network • Set the IP address 10.1.1.1 as a primary DNS server also for the other hosts.
21.6 Example of a more complex Kerio VPN configuration 4. Enable the VPN server and configure its SSL certificate (create a self-signed certificate if no certificate provided by a certification authority is available). Note: A free subnet which has been selected is now specified automatically in the VPN network and Mask entries. Check whether this subnet does not collide with any other subnet in the headquarters or in the filials. If it does, specify a free subnet. Figure 21.
Chapter 21 Kerio VPN 5. Create a passive endpoint of the VPN tunnel connected to the London filial. Use the fingerprint of the VPN server of the London filial office as a specification of the fingerprint of the remote SSL certificate. Figure 21.39 Headquarter — definition of VPN tunnel for the London filial On the Advanced tab, select the Use custom routes only option and set routes to the subnets at the remote endpoint of the tunnel (i.e. in the London filial).
21.6 Example of a more complex Kerio VPN configuration the London filial whereas the tunnel between the headquarters and the Paris office stays waste. Figure 21.
Chapter 21 Kerio VPN 6. Use the same method to create a passive endpoint for the tunnel connected to the Paris filial. Figure 21.41 The headquarters — definition of VPN tunnel for the Paris filial On the Advanced tab, select the Use custom routes only option and set routes to the subnets at the remote endpoint of the tunnel (i.e. in the Paris filial). 7. Add the new VPN tunnels into the Local Traffic rule.
21.6 Example of a more complex Kerio VPN configuration Figure 21.42 The headquarters — routing configuration for the tunnel connected to the Paris filial Figure 21.
Chapter 21 Kerio VPN Configuration of the London filial 1. Install WinRoute (version 6.1.0 or higher) at the default gateway of the filial’s network. 2. Use Network Rules Wizard (see chapter 6.1) to configure the basic traffic policy in WinRoute. To keep the example as simple as possible, it is supposed that the access from the local network to the Internet is not restricted, i.e. that access to all services is allowed in step 4.
21.6 Example of a more complex Kerio VPN configuration This step will create rules for connection of the VPN server as well as for communication of VPN clients with the local network (through the firewall). Figure 21.46 3. The London filial office — default traffic rules for Kerio VPN Customize DNS configuration as follows: • In configuration of the DNS Forwarder in WinRoute, specify DNS servers to which DNS queries which are not addressed to the company.
Chapter 21 Kerio VPN Figure 21.48 4. The London filial office — DNS forwarding settings Enable the VPN server and configure its SSL certificate (create a self-signed certificate if no certificate provided by a certification authority is available). Note: A free subnet which has been selected is now specified automatically in the VPN network and Mask entries. Check whether this subnet does not collide with any other subnet in the headquarters or in the filials. If it does, specify a free subnet.
21.6 Example of a more complex Kerio VPN configuration For a detailed description on the VPN server configuration, refer to chapter 21.1. 5. Create an active endpoint of the VPN tunnel which will connect to the headquarters server (newyork.company.com). Use the fingerprint of the VPN server of the headquarters as a specification of the fingerprint of the remote SSL certificate. Figure 21.
Chapter 21 Kerio VPN On the Advanced tab, select the Use custom routes only option and set routes to headquarters’ local networks. Figure 21.51 The London filial — routing configuration for the tunnel connected to the headquarters At this point, connection should be established (i.e. the tunnel should be created). If connected successfully, the Connected status will be reported in the Adapter info column for both ends of the tunnel.
21.6 Example of a more complex Kerio VPN configuration 6. Create a passive endpoint of the VPN tunnel connected to the Paris filial. Use the fingerprint of the VPN server of the Paris filial office as a specification of the fingerprint of the remote SSL certificate. Figure 21.52 The London filial office — definition of VPN tunnel for the Paris filial office On the Advanced tab, select the Use custom routes only option and set routes to Paris’ local networks. 7.
Chapter 21 Kerio VPN Figure 21.53 The London filial — routing configuration for the tunnel connected to the Paris branch office Figure 21.
21.6 Example of a more complex Kerio VPN configuration Configuration of the Paris filial 1. Install WinRoute (version 6.1.0 or higher) at the default gateway of the filial’s network. 2. Use Network Rules Wizard (see chapter 6.1) to configure the basic traffic policy in WinRoute. To keep the example as simple as possible, it is supposed that the access from the local network to the Internet is not restricted, i.e. that access to all services is allowed in step 4. Figure 21.
Chapter 21 Kerio VPN 3. Customize DNS configuration as follows: • In configuration of the DNS Forwarder in WinRoute, specify DNS servers to which DNS queries which are not addressed to the company.com domain will be forwarded (primary and secondary DNS server of the Internet connection provider by default). Figure 21.57 The Paris filial office — DNS forwarder configuration • Enable the Use custom forwarding option and define rules for names in the company.com and filial1.company.com domains.
21.6 Example of a more complex Kerio VPN configuration • Set the IP address of this interface (172.16.1.1) as a primary DNS server for the WinRoute host’s interface connected to the LAN 1 local network. It is not necessary to set DNS at the interface connected to LAN 2. • Set the IP address 172.16.1.1 as a primary DNS server also for the other hosts. 4.
Chapter 21 Kerio VPN 5. Create an active endpoint of the VPN tunnel which will connect to the headquarters server (newyork.company.com). Use the fingerprint of the VPN server of the headquarters as a specification of the fingerprint of the remote SSL certificate. Figure 21.60 The Paris filial office — definition of VPN tunnel for the headquarters On the Advanced tab, select the Use custom routes only option and set routes to headquarters’ local networks.
21.6 Example of a more complex Kerio VPN configuration of the remote server — in our example, the ping gw-sanfrancisco.company.com command can be used at the Paris branch office server. Figure 21.
Chapter 21 Kerio VPN 6. Create an active endpoint of the tunnel connected to London (server gw-london.company.com). Use the fingerprint of the VPN server of the London filial office as a specification of the fingerprint of the remote SSL certificate. Figure 21.
21.6 Example of a more complex Kerio VPN configuration On the Advanced tab, select the Use custom routes only option and set routes to London’s local networks. Figure 21.63 The Paris filial — routing configuration for the tunnel connected to the London branch office Like in the previous step, check whether the tunnel has been established successfully, and check reachability of remote private networks (i.e. of local networks in the London filial). 7. Add the new VPN tunnels into the Local Traffic rule.
Chapter 21 Kerio VPN VPN test The VPN configuration has been completed by now. At this point, it is recommended to test reachability of the remote hosts in the other remote networks (at remote endpoints of individual tunnels). For example, the ping or/and tracert operating system commands can be used for this testing.
Chapter 22 Kerio Clientless SSL-VPN Kerio Clientless SSL-VPN (thereinafter “SSL-VPN ”) is a special interface used for secured remote access to shared items (files and folders) in the network protected by WinRoute via a web browser. To a certain extent, the SSL-VPN interface is an alternative to Kerio VPN Client (see chapter 21).
Chapter 22 Kerio Clientless SSL-VPN Click Advanced to open a dialog where port and SSL certificate for SSL-VPN can be set. Figure 22.2 Setting of TCP port and SSL certificate for SSL-VPN SSL-VPN’s default port is port 443 (standard port of the HTTPS service). Click Change SSL Certificate to create a new certificate for the SSL-VPN service or to import a certificate issued by a trustworthy certification authority. When created, the certificate is saved as sslvpn.
22.2 Usage of the SSL-VPN interface Note: If the port for SSL-VPN interface is changed, it is also necessary to modify the Service item in this rule! 22.2 Usage of the SSL-VPN interface For access to the interface, most of common graphical web browsers can be used (however, we recommend to use Microsoft Internet Explorer version 6.0 or Firefox/Netscape/Mozilla/SeaMonkey with the core version 1.3 and later).
Chapter 22 Kerio Clientless SSL-VPN counts authenticated only in WinRoute (Internal user database authentication) cannot be used to access SSL-VPN . For details on local user accounts, refer to chapter 13.2. • If it is a mapped Active Directory domain which is set as primary (or if only one domain is mapped), it is possible to specify username either leaving out the domain (jdolittle) or with the domain (jdolittle@company.com).
22.2 Usage of the SSL-VPN interface At the top of the page, an entry is available, where location of the demanded shared item (so called UNC path) can be specified — for example: \\server\folder\subfolder All shared items in the domain can be browsed using a so called navigation tree on the left.
Chapter 23 Troubleshooting This chapter provides several helpful tips for solving of problems which might arise during WinRoute deployment. 23.1 Detection of incorrect configuration of the default gateway One of the most common problems ocurred in WinRoute implementation is incorrect configuration of default gateways in the operating system by the computer where WinRoute is installed. Therefore, WinRoute (since 6.2.0) automatically detects configuration of default gateways in the system.
23.2 Configuration Backup and Transfer Once configuration of network interfaces is corrected, it is not necessary to restart the computer or WinRoute Firewall Engine. Simply login to the Administration Console again to make sure that the incorrect settings have been fixed (i.e. the alert is not displayed). Typically, traffic from the local network to the Internet starts working at this point.
Chapter 23 Troubleshooting For details on traffic between the WinRoute Firewall Engine and the Administration Console, refer to Kerio Administration Console — Help (http://www.kerio.com/kwf-manual). sslcert SSL certificates for all components using SSL for traffic encryption (i.e. the web interface, VPN server and the Clientless SSL-VPN interface). license If WinRoute has already been registered, the license folder includes a license key file (including registered trial versions).
23.2 Configuration Backup and Transfer Directories: logs The logs directory stores all WinRoute logs (see chapter 20). star The star directory includes a complete database for statistics of the WinRoute’s web interface. Handling configuration files Warning: We recommend that WinRoute Firewall Engine be stopped prior to any manipulation with the configuration files (backups, recoveries, etc.)! Information contained within these files is loaded and saved only upon starting or stopping the MailServer.
Chapter 23 Troubleshooting a unique (randomly generated) identifier in the operating system. It is almost not possible that two identifiers were identical. To avoid setting up new interfaces and changing traffic rules, you can assign new identifiers to original interfaces in the winroute.cfg configuration file. 7. Stop WinRoute Firewall Engine. 8. Use a plaintext editor (e.g. Notepad) to open the winroute.cfg configuration file.
23.3 Automatic user authentication using NTLM LAN ... 9. Save the winroute.cfg file and run WinRoute Firewall Engine. Now, the WinRoute configuration is identical with the original WinRoute configuration on the prior operating system. Note: The method described above includes a complete “clone” of WinRoute on a new host. Some of the steps are optional — for example, if you do not wish to keep the current statistics, do not copy the star subdirectory. 23.
Chapter 23 Troubleshooting WinRoute Configuration NTLM authentication of users from web browsers must be enabled in Users → Authentication Options. User authentication should be required when attempting to access web pages, otherwise enabling NTLM authentication is meaningless. Figure 23.2 NTLM — user authentication options User authentication in the corresponding NT domain must be enabled.
23.3 Automatic user authentication using NTLM The configuration of the WinRoute’s web interface must include a valid DNS name of the server on which WinRoute is running (for details, see chapter 9.1). Figure 23.5 Configuration of WinRoute’s Web Interface Web browsers For proper functioning of NTLM, a browser must be used that supports this method. By now, the following browsers are suitable: • Microsoft Internet Explorer version 5.
Chapter 23 Troubleshooting Explorer sends saved login data instead of NTLM authentication of the user currently logged in. Should any problems regarding NTLM authentication arise, it is recommended to remove all usernames/passwords for the server where WinRoute is installed from the Password Manager. Firefox/Netscape/Mozilla/SeaMonkey The browser displays the login dialog. For security reasons, automatic user authentication is not used by default in the browser.
23.4 Partial Retirement of Protocol Inspector 23.4 Partial Retirement of Protocol Inspector Under certain circumstances, appliance of a protocol inspector to a particular communication might be undesirable. To disable specific protocol inspection, define corresponding source and destination IP addresses and a traffic rule for this service that will define explicitly that no protocol inspector will be used.
Chapter 23 Troubleshooting 2. In the Configuration → Traffic Policy section, create a rule which will permit this service traffic between the local network and the bank’s server. Specify that no protocol inspector will be applied. Figure 23.7 This traffic rule allows accessing service without protocol inspection Note: In the default configuration of the Traffic rules section, the Protocol inspector column is hidden. To show it, modify settings through the Modify columns dialog (see chapter 3.2).
23.5 User accounts and groups in traffic rules Such a rule enables the specified users to connect to the Internet (if authenticated). However, these users must open the WinRoute interface’s login page manually and authenticate (for details, see chapter 8.1). However, with such a rule defined, all methods of automatic authentication will be ineffective (i.e. redirecting to the login page, NTLM authentication as well as automatic authentication from defined hosts).
Chapter 23 Troubleshooting Note: In this example, it is assumed that client hosts use the WinRoute DNS Forwarder or local DNS server (traffic must be allowed for the DNS server). If client stations used a DNS server in the Internet (this configuration is not recommended!), it would be necessary to include the DNS service in the rule which allows unlimited Internet access. 23.6 FTP on WinRoute’s proxy server Proxy server in WinRoute, version 6.0.2 and later (see chapter 5.5), supports FTP.
23.6 FTP on WinRoute’s proxy server server is 3128 (for details, refer to chapter 5.5). It is also recommended to enable the Bypass proxy server for local addresses option — using proxy server for local addresses would slow down traffic and overburden WinRoute. Figure 23.11 Configuring proxy server in Microsoft Internet Explorer HINT: To configure web browsers, you can use a configuration script or the automatic detection of configuration. For details, see chapter 5.5.
Chapter 23 Troubleshooting Figure 23.12 Setting proxy server for FTP in Total Commander HINT: The defined proxy server is indexed and saved to the list of proxy servers automatically. Later, whenever you are creating other FTP connections, you can simply select a corresponding proxy server in the list.
Chapter 24 Network Load Balancing Certain versions of the Microsoft Windows operating system allow creation of so called cluster — a group of hosts which behaves as a single virtual server. Clients’ requests to the virtual server are distributed to individual computers within the cluster. This technology is called Network Load Balancing (called NLB in the further text). If WinRoute and NLB are used, a particular local network can be connected to the Internet by several independent lines.
Chapter 24 Network Load Balancing Figure 24.1 Network configuration for Network Load Balancing 1. Three IP addresses must be reserved when assigning IP addresses in the local network: two for servers and one for the cluster (i.e. for the virtual server). In this example, IP addresses 192.168.1.10 and 192.168.1.20 are assigned to the servers. The IP address 192.168.1.1 will be assigned to the cluster. 2.
24.3 Configuration of the servers in the cluster 6. Set 192.168.1.1 (IP address of the cluster) as the IP address at default gateway for computers in the local network and, again, test availability of computers through the Internet. HINT: If logging of corresponding connections is enabled (at both servers) in the WinRoute’s traffic rule for access to the Internet from the local network (see chapter 6.
Chapter 24 Network Load Balancing Figure 24.2 Figure 24.
24.3 Configuration of the servers in the cluster NLB configuration for Server2 The configuration is almost the same in the case of Server1. However, IP address of the server is different (192.168.1.20) and it is also necessary to select different priority for the server (e.g. 2). Note: The problem of cluster settings for load balancing is too wide and complicated to be described in this manual. Detailed information can be found at Microsoft’s technical support Web site: • Windows 2003: http://support.
Chapter 25 Technical support Free email and telephone technical support is provided for Kerio WinRoute Firewall. For contacts, see the end of this chapter. Our technical support staff is ready to help you with any problem you might have. You can also solve many problems alone (and sometimes even faster). Before you contact our technical support, please take the following steps: • Try to look up the answer in this manual.
25.2 Tested in Beta version Informational File You can use the Administration Console to create a text file including your WinRoute configuration data. Take the following steps to generate the file: • Run WinRoute Firewall Engine and connect to it through the Administration Console. • If you use dial-up, connect to the Internet. • In the Administration Console use the Ctrl+S keys. The text file will be stored in the home directory of the logged user. (e.g.
Chapter 25 Technical support For details on beta versions and their testing, refer to the http://www.kerio.com/beta web page. 25.3 Contacts Kerio Technologies can be contacted at the following addresses: USA Kerio Technologies Inc. 2350 Mission College Blvd., Suite 400 Santa Clara, CA 95054 Phone: +1 408 496 4500 http://www.kerio.com/ Contact form: http://support.kerio.com/ United Kingdom Kerio Technologies UK Ltd. Enterprise House Vision Park Cambridge, CB4 9ZR Histon Tel.: +44 1223 202 130 http://www.
Appendix A Legal Presumption Microsoft R , Windows R , Windows NT R , Internet Explorer are registered trademarks of Microsoft Corporation. Mac OS Linux R Mozilla R R and Active Directory R and Safari are registered trademarks or trademarks of Apple Computer, Inc. is registered trademark of Linus Torvalds. R and Firefox R are registered trademarks of Mozilla Foundation. Kerberos TM is trademark of Massachusetts Institute of Technology (MIT).
Appendix B Used open-source libraries Kerio WinRoute Firewall contains the following open-source libraries: IBPP Copyright 2000-2006 T.I.P. Group S.A. and the IBPP Team Homepage: http://www.ibpp.
Prototype Copyright 2005 Sam Stephenson. Homepage: http://prototype.conio.net/ zlib Copyright 1995-2005 Jean-Loup Gailly and Mark Adler. Homepage: http://www.gzip.
Glossary of terms ActiveX This Microsoft’s proprietary technology is used for creation of dynamic objects for Web pages. This technology provides many features, such as writing to disk or execution of commands at the client (i.e. on the host where the Web page is opened). This technology provides a wide range of features, such as saving to disk and running commands at the client (i.e. at the computer where the Web page is opened).
DNS DNS (Domain Name System) A worldwide distributed database of Internet hostnames and their associated IP address. Computers use Domain Name Servers to resolve host names to IP addresses. Names are sorted in hierarchized domains. Firewall Software or hardware device that protects a computer or computer network against attacks from external sources (typically from the Internet). In this guide, the word firewall represents the WinRoute host. FTP File Transfer Protocol.
Glossary of terms IP address IP address is a unique 32-bit number used to identify the host in the Internet. It is specified by numbers of the decimal system (0-255) separated by dots (e.g. 195.129.33.1). Each packet contains information about where it was sent from (source IP address) and to which address it is to be delivered (destination IP address). IPSec IPsec (IP Security Protocol) is an extended IP protocol which enables secure data transfer.
The NAT technology enables connection from local networks to the Internet using a single IP address. All hosts within the local network can access the Internet directly as if they were on a public network (certain limitations are applied). Services running on local hosts can be mapped to the public IP address. Network adapter The equipment that connects hosts to a traffic medium. It can be represented by an Ethernet adapter, TokenRing adapter, by a modem, etc.
Glossary of terms the Internet. This implies that IP ranges for local networks cannot collide with IP addresses used in the Internet. The following IP ranges are reserved for private networks: • 10.0.0.0/255.0.0.0 • 172.16.0.0/255.240.0.0 • 192.168.0.0/255.255.0.0 Protocol inspector WinRoute’s plug-in (partial program), which is able to monitor communication using application protocols (e.g. HTTP, FTP, MMS, etc.).
Spam Undesirable email message, usually containing advertisments. Spoofing Spoofing means using false IP addresses in packets. This method is used by attackers to make recipients assume that the packet is coming from a trustworthy IP address. SSL SSL is a protocol used to secure and encrypt network communication. SSL was originally designed by Netscape in order to ensure secure transfer of Web pages over HTTP protocol. Nowadays, it is used by most standard Internet protocols (SMTP, POP3, IMAP, LDAP, etc.).
Glossary of terms TCP/IP Name used for all traffic protocols used in the Internet (i.e. for IP, ICMP, TCP, UDP, etc.). TCP/IP does not stand for any particular protocol! TLS Transport Layer Security. New version of SSL protocol. This version is approved by the IETF and it is accepted by all the top IT companies (i.e. Microsoft Corporation). UDP User Datagram Protokol is a transmission protocol which transfers data through individual messages (so called datagrams).
Index A C Active Directory 189, 196 automatic import of accounts 197 domain mapping 199 import of user accounts 198 multiple domains mapping 202 administration 27 remote 25, 209 Administration Console 27 views setup 30 alerts 246 overview 249 settings 246 templates 248 anti-spoofing 217 antivirus check 14, 160 conditions 160 external antivirus 164 file size limits 164 HTTP and FTP 166 McAfee 162 protocols 164 rules for file scanning 168 settings 162 SMTP and POP3 170 certificate SSL-VPN 356 VPN server 3
Index DNS DNS Forwarder 60 forwarding rules 62 hosts file 64, 65 local domain 65 ISS OrangeWeb Filter deployment 149, 147 parameters configuration website categories 150 148 K F FTP filtering rules 155, 137, 179, 372 Kerberos 189 Kerio Administration Console 21, 27 views setup 30 G L groups IP address 173 of forbidden words 153 URL 180 user groups 183, 189, 204 language Administration Console 27 of alerts 249 Web Interface 130 license expiration 44 information 34, 32 license key 32 license types 3
web 296 M multihoming 109 N NAT 92, 103, 106 NLB configuration 375, 375 NT domain import of user accounts 198, 196 NTLM configuration of web browsers 368 deployment 365, 123 WinRoute configuration 366 P P2P Eliminator 213 Peer-to-Peer (P2P) networks allow 191, 208 deny 213 detection 238, 213 ports 215 speed limit 213 port SSL-VPN 356 port mapping 90, 104, 107 product registration 32 protocol inspector 105, 178, 179 retirement 369 proxy server parent 79, 76, 372 Q Quick Setup 8 quota settings 258 R ra
Index settings 258, 251 top requested web categories 272 top visited websites 271 user groups 254 volume of transferred data 270 status information active hosts 234 connections 242, 234 subscription expiration 44 Syslog 277 T technical support contacts 382, 380 traffic policy created by wizard 93 default rule 95 definition 96 exceptions 111 Internet access limiting 109, 86 wizard 86 transparent proxy 80 Trial ID 39 TTL 80, 84 U uninstallation 23 update antivirus 162 WinRoute 210 upgrade automatic update
user preferences 134 user statistics 133, 125 Windows Internet Connection Sharing 19 security center 20 Windows Firewall 19 WinRoute Engine Monitor 20, 21 WinRoute Firewall Engine 20 WinRoute Pro 24 wizard configuration 24 traffic rules 86 397