Kerio WinRoute Firewall 6 Step-by-Step Configuration Kerio Technologies s. r. o.
Kerio Technologies s.r.o. All rights reserved. This guide provides detailed description on configuration of the local network which uses the Kerio WinRoute Firewall, version 6.7. All additional modifications and updates reserved. For current version of the product, go to http://www.kerio.com/firewall/download. For other documents addressing the product, see http://www.kerio.com/firewall/manual.
Contents 1 Introduction ................................................................... 2 Headquarters configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1 Selection of IP addresses for LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2 Configuration of network interfaces of the Internet gateway . . . . . . . . . . . . . . . . 6 2.3 WinRoute Installation . . . . . . . . . . . . . . . .
Chapter 1 Introduction This guide describes the steps needed to deploy WinRoute in an example network. This network includes most elements present in a real-life WinRoute network — Internet access from the local network, protection against attacks from the Internet, access to selected services on the LAN from the Internet, user access control, automatic configuration of clients on the LAN, user authentication in the Active Directory domain, user browsing behavior control, etc.
Chapter 2 Headquarters configuration This chapter provides detailed description on configuration of the local network and setup of WinRoute in company headquarters. The same guidance can also be followed for configuration of the network in branch offices (only the IP subnet must be different). For purposes of this example, it is supposed that an Active Directory domain company.com is created in the headquarters’ LAN and all hosts in the network are included in this domain. 2.
Chapter 2 Headquarters configuration Note: IP addresses can be assigned to printing machines either manually or by a DHCP server. If a DHCP server is used, the printing machine is configured automatically and its address is listed in the DHCP lease list. If configured manually, the printing machine will be independent of the DHCP server’s availability. • Dynamic IP addresses will be assigned to local workstations (easier configuration). Figure 2.
2.3 WinRoute Installation chapter 1). Suppose that the ISP has aasigned IP adddress 63.55.21.12. It is also recommended to assign a DNS name (e.g. kwf.company.com) to this IP address; otherwise all VPN clients will be required to define the server by the IP address. Verify connectivity (i.e. by using the ping command or by opening a Web site using your browser). LAN Interface The following parameters will be set at the LAN Interface: • IP address — we will use the 192.168.1.
Chapter 2 Headquarters configuration Set the following parameters using the Wizard: • Internet connection types (page 2) — select persistent connection with a single Internet line. • Internet interface (page 3) — select an interface connected to the Internet. • Rules used for outgoing traffic (page 4) — these rules enable access to Internet services.
2.6 DNS configuration this example the 192.168.1.3 address is reserved). You need to know the hardware (MAC) address of the printing machine to make the reservation. Hint Do not make the reservation manually unless you know the MAC address of your printing machine. Run the DHCP server and connect the machine to the network. An IP address from the formerly defined scope (see above) will be assigned to the printing machine. In the list of leased addresses, mark this IP address and click on Reserve....
Chapter 2 Headquarters configuration 2.7 Web interface and SSL-VPN certificates WinRoute’s web interface shows relevant information in case that any attempt to access forbidden web sites is detected (see chapter 2.10). Users can also use the web interface to set various parameters of their accounts or to access statistics. The Clientless SSL-VPN interface is used for secured remote connections to shared files in local networks by a web browser.
2.9 Address Groups and Time Ranges In case you do not want to use any of the domain accounts, you can block them in WinRoute and hide blocked accounts. The accounts will be blocked only in WinRoute, they will stay active in the domain. Accounts blocked on the domain server will not be even imported to WinRoute. 2.
Chapter 2 Headquarters configuration • Rules Allow popular search engines and Remove advertisement and banners can be used according to your needs. • Rule Deny sites rated in Kerio Web Filter categoriescan be used to block all users access to pages with erotic contents. Use the Select Rating... button to select Kerio Web Filter categories that will be blocked. Then select appropriate categories in the Pornography /Nudity section to deny access to pages with erotic/sexual content.
2.11 FTP Policy Configuration 2.11 FTP Policy Configuration Requirements FTP usage will be limited by the following restrictions: • transmission of music files in the MP3 format will be denied • transmission of video files (*.AVI) will be denied within working hours • uploads (storing files at FTP servers) will be denied — protection of important company information FTP restrictions specified by predefined rules Go to Configuration → Content Filtering → FTP Policy to set FTP limitations.
Chapter 2 Headquarters configuration 2.12 Antivirus Scanning Configuration Any supported external antivirus application that you intend to use must be installed first. The McAfee antivirus application is integrated into WinRoute and you will need a special license to run it. The ideal solution is to combine the integrated and an external antivirus (so called dual antivirus check).
2.14 Secured access of remote clients to LAN 2.14 Secured access of remote clients to LAN Enable the VPN server for secured access of remote clients (“VPN clients”) to LAN under Configuration → Interfaces (for details, see chapter 4.1). No additional settings are required. Communication of VPN clients is already allowed by the traffic policy created by the wizard — refer to chapter 2.4. Note: VPN clients will connect only to the headquarters server.
Chapter 2 Headquarters configuration • • • • volume of transferred data, used protocols (services), top visited web domains, top requested web categories. Statistics can be either showed for the overall traffic or for individual users. Access and authentication to the statistics Internet usage statistics may include fragile information. For this reason, a special right is used for access to this information, assigned only to the Admin by default.
Chapter 3 Configuration of the LAN in a filial office For quick configuration of the filial’s LAN, it is possible to follow similar method as for the headquarter’s network (see chapter 2). The only difference is in DNS and DHCP configuration. Supposing that there is no domain server or any other DNS server in the filial’s network. The WinRoute’s DNS module will be used as the primary DNS server. 3.1 Configuration of network interfaces of the Internet gateway Set a fixed IP address (e.g. 10.1.1.
Chapter 3 Configuration of the LAN in a filial office used as the primary DNS server. The forwarder will procure correct forwarding of requests between the company’s offices and to the Internet.
Chapter 4 Interconnection of the headquarters and branch offices This chapter provides information on interconnection of headquarters and branch office servers by an encrypted channel (“VPN tunnel”). The following example describes only the basic configuration of a VPN tunnel between two networks. No tips related to access restrictions or other specific settings are included here. For example of a more complex VPN configuration, refer to the Kerio WinRoute Firewall — User Guide document.
Chapter 4 Interconnection of the headquarters and branch offices The headquarters uses IP addresses 192.168.1.x with the network mask 255.255.255.0 and with DNS domain company.com. The branch office uses IP addresses 10.1.1.x with network mask 255.255.255.0 and with the subdomain filial.company.com. 4.1 Headquarters configuration 1. 2. 3. In WinRoute under Configuration / Interfaces select a VPN server, open its settings dialog and enable it.
4.2 Configuration of a filial office 4.2 Configuration of a filial office 1. 2. 3. In WinRoute under Configuration / Interfaces select a VPN server, open its settings dialog and enable it. Note: A free subnet which has been selected for VPN is now specified automatically in the VPN network and Mask entries. There is no reason to change the network. Use the Edit SSL certificate button to create an SSL certificate with the name of the corresponding server (e.g. server.officebrazil.company.com).
Chapter 4 Interconnection of the headquarters and branch offices If a remote host is tested through IP address and it does not respond, check configuration of the traffic rules or/and find out whether the subnets do not collide (i.e. whether the same subnet is not used at both ends of the tunnel). If an IP address is tested successfully and an error is reported (Unknown host) when a corresponding DNS name is tested, then check configuration of the DNS.
Appendix A Legal Notices Microsoft R , Windows R , Windows NT trademarks of Microsoft Corporation. R and Active Directory R are registered trademarks or Other names of real companies and products mentioned in this document may be registered trademarks or trademarks of their owners.