Kerio-tech Firewall6 Manual do Utilizador Página 1

Kerio WinRoute Firewall 6Administrator’s GuideKerio Technologies

Chapter 2 Introduction10access to a specific port (it can temporarily open the port demanded by the server). FTPin the active mode, Real Audio or PPTP

Chapter 7 Traffic Policy100Figure 7.40 Enabling Full cone NAT in the traffic rule7.9 Media hairpinningWinRoute allows to “arrange” traffic between two clien

7.9 Media hairpinning101a packet is addressed to a client in the local network. Then it translates the destination IPaddress and sends the packet back

102Chapter 8Configuration of network servicesThis chapter provides guidelines for setting of basic services in WinRoute helpful for easyconfiguration an

8.1 DNS Forwarder103of the firewall’s network interfaces, see chapter 5, more information on Internet connectionoptions, refer to chapter 6.DNS Forward

Chapter 8 Configuration of network services1041. Time period for keeping DNS logs in the cache is specified individually in each log(usually 24 hours).2

8.1 DNS Forwarder105The rule can be defined for:• DNS name — queries requiring names of computers will be forwarded to this DNSserver (so called A quer

Chapter 8 Configuration of network services106• The Name DNS query option allows specification of a rule for name queries. Use the Ifthe queried name ma

8.1 DNS Forwarder107names. When any DNS query is received, this file will be checked first to find outwhether the desired name or IP address is included.

Chapter 8 Configuration of network services108ExampleThe local domain’s name is company.com. The host called john is configured so as toobtain an IP add

8.2 DHCP server109DHCP Server ConfigurationTo configure the DHCP server in WinRoute go to Configuration → DHCP Server. Here you candefine IP scopes, reser

2.2 Conflicting software11Email alertsWinRoute can send email alerts informing users about various events. This functionmakes firewall administration ea

Chapter 8 Configuration of network services110Figure 8.6 DHCP server — default DHCP parametersDNS serverAny DNS server (or multiple DNS servers separat

8.2 DHCP server111Figure 8.7 DHCP server — IP scopes definitionFirst address, Last addressFirst and last address of the new scope.Note: If possible, we

Chapter 8 Configuration of network services112ExampleIn 192.168.1.0 subnet you intend to create two scopes: from 192.168.1.10to 192.168.1.49 and from 1

8.2 DHCP server113Figure 8.9 DHCP server — DHCP settingsTo view configured DHCP parameters and their values within appropriate IP scopes see theright c

Chapter 8 Configuration of network services114Figure 8.11 DHCP server — reserving an IP addressAny IP address included in a defined subnet can be reserv

8.2 DHCP server115LeasesIP scopes can be viewed in the Leases tab. These scopes are displayed in the form of trees. Allcurrent leases within the appro

Chapter 8 Configuration of network services1161. Data about expired and released addresses are kept by the DHCP server and canbe used later if the same

8.2 DHCP server117Figure 8.13 DHCP server — advanced optionsWarning1. DHCP server cannot assign addresses to RAS clients connecting to the RAS serverd

Chapter 8 Configuration of network services1188.3 Dynamic DNS for public IP address of the firewallKerio WinRoute Firewall provides (among others) servi

8.3 Dynamic DNS for public IP address of the firewall1192. Dynamic DNS records use very short time-to-live (TTL) and, therefore, they are kept incache

Chapter 2 Introduction12• The Windows Firewall / Internet Connection Sharing system service. WinRoute canautomatically detect and disable this service

Chapter 8 Configuration of network services120Once this information is defined, it is recommended to test update of dynamic DNS record byclicking on Upd

8.4 Proxy server121Proxy Server ConfigurationTo configure proxy server parameters open the Proxy server tab in Configuration → ContentFiltering → HTTP Po

Chapter 8 Configuration of network services122Enable connection to any TCP portThis security option enables to allow or block so called tunneling of ot

8.5 HTTP cache123Allow browsers to use configuration script automatically...It is possible to let Internet Explorer be configured automatically by the D

Chapter 8 Configuration of network services124Figure 8.16 HTTP cache configurationCache directoryDirectory that will be used to store downloaded objects

8.5 HTTP cache125startup, the WinRoute Firewall Engine detects that the cache size exceeds 2047 MB,the size is changed to the allowed value automatica

Chapter 8 Configuration of network services126Note: Clients can always require a check for updates from the Web server (regardless of thecache settings

8.5 HTTP cache127TTLTTL of objects matching with the particular URL.The 0 days, 0 hours option means that objects will not be cached.Cache status and

Chapter 8 Configuration of network services128Figure 8.19 HTTP cache administration dialogExampleSearch for the*ker?o*string lists all objects with URL

8.5 HTTP cache129

2.3 Installation13• 4090/TCP+UDP — proprietary VPN server (for details refer to chapter 23)Antivirus applicationsMost of the modern desktop antivirus

130Chapter 9Bandwidth LimiterThe main problem of shared Internet connection is when one or more users download orupload big volume of data and occupy

9.2 Bandwidth Limiter configuration131Figure 9.1 Bandwidth Limiter configurationThe Bandwidth Limiter module enables to define reduction of speed of inco

Chapter 9 Bandwidth Limiter132services if too much big data volumes are transferred). If they are lower, full line capacity isoften not employed.Warni

9.2 Bandwidth Limiter configuration133Figure 9.2 Bandwidth Limiter — network servicesFigure 9.3 Bandwidth Limiter — selection of network servicesIP Add

Chapter 9 Bandwidth Limiter134addresses across the local network and the Internet. Where user workstations use fixedIP addresses, it is also possible t

9.3 Detection of connections with large data volume transferred135cally. With exception of special conditions (testing purposes) it is highly recommen

Chapter 9 Bandwidth Limiter136Examples:The detection of connections transferring large data volumes will be better understoodthrough the following exa

137Chapter 10User AuthenticationWinRoute allows administrators to monitor connections (packet, connection, Web pages orFTP objects and command filterin

Chapter 10 User Authentication138from the IP address. However, users may authenticate from other hosts (using themethods described above).IP addresses

10.1 Firewall User Authentication139Redirection to the authentication pageIf the Always require users to be authenticated when accessing web pages opt

Chapter 2 Introduction14Installation packagesKerio WinRoute Firewall is distributed in two editions: one is for 32-bit systems and the otherfor 64-bit

Chapter 10 User Authentication140available for other operating systems.For details, refer to chapter 25.2.Automatically logout users when they are ina

141Chapter 11Web InterfaceWinRoute contains a special Web server that can be used for several purposes, such as aninterface for viewing of statistics

Chapter 11 Web Interface142Figure 11.1 Configuration of WinRoute’s Web InterfaceEnable secured Web Interface (HTTPS)Use this option to open the secured

11.1 Web Interface Parameters Configuration143Advanced parameters for the Web interface can be set upon clicking on the Advanced button.Configuration of

Chapter 11 Web Interface144SSL Certificate for the Web InterfaceThe principle of an encrypted WinRoute Web interface is based on the fact that all comm

11.1 Web Interface Parameters Configuration145Figure 11.3 SSL certificate of WinRoute’s Web interfaceFigure 11.4 Creating a new “self-signed” certificate

Chapter 11 Web Interface146Verisign, Thawte, SecureSign, SecureNet, Microsoft Authenticode, etc.).To import a certificate, open the certificate file (*.c

11.2 User logon and logout147• Primary domain — missing domain is acceptable in the name specification (e.g.jsmith), but it is also possible to include

Chapter 11 Web Interface148HintURL for user logout from the firewall can be added to the web browser’s toolbar as a link. Usercan use this “button” for

11.3 Status information and user statistics14911.3 Status information and user statisticsOn the Status tab, the following information is provided:User

2.3 Installation15We recommend you to check through the following items before you run WinRoute installation:• Time of the operating system should be

Chapter 11 Web Interface150Figure 11.8 Current web restrictions and rules11.4 User preferencesThe Preferences tab allows setting of custom web content

11.4 User preferences151Figure 11.9 Customized Web objects filteringThis option will block the window.open() method in JavaScript.• Cross-domain refere

Chapter 11 Web Interface152Figure 11.10 Editing user passwordWarningPasswords can be changed only if the user is configured in the WinRoute internal da

11.5 Dial-up153Note: Language settings affect also the format of displaying date and numbers in the webinterface.11.5 Dial-upUsers allowed to dial RAS

154Chapter 12HTTP and FTP filteringWinRoute provides a wide range of features to filter traffic using HTTP and FTP protocols.These protocols are the most

12.1 Conditions for HTTP and FTP filtering15512.1 Conditions for HTTP and FTP filteringFor HTTP and FTP content filtering, the following conditions must

Chapter 12 HTTP and FTP filtering156Rules in this section are tested from the top of the list downwards (you can order the listentries using the arrow

12.2 URL Rules157Figure 12.2 URL Rule — basic parametersOpen the General tab to set general rules and actions to be taken.DescriptionDescription of th

Chapter 12 HTTP and FTP filtering158for example a rule allowing access to certain pages without authenticationcan be defined.2. Unless authentication is

12.2 URL Rules159Go to the Advanced tab to define more conditions for the rule or/and to set options for deniedpages.Figure 12.3 URL Rule — advanced pa

Chapter 2 Introduction16Figure 2.1 Installation — customization by selecting optional componentsuse). This will install the WinRoute low-level driver

Chapter 12 HTTP and FTP filtering160Denial optionsAdvanced options for denied pages. Whenever a user attempts to open a page that isdenied by the rule,

12.2 URL Rules161Figure 12.4 Options for Websites with content meeting a URL ruleDeny Web pages containing ...Use this option to deny users to access

Chapter 12 HTTP and FTP filtering162Figure 12.5 HTTP protocol inspector settings12.3 Global rules for Web elementsIn WinRoute you can also block certai

12.4 Content Rating System (ISS OrangeWeb Filter)163Figure 12.6 Global rules for Web elementsAllow <applet> HTML tagsHTML <applet> tags (J

Chapter 12 HTTP and FTP filtering164in the ISS OrangeWeb Filter tab will not be available). For detailed information about thelicensing policy, read ch

12.4 Content Rating System (ISS OrangeWeb Filter)165Figure 12.7 ISS OrangeWeb Filter configuration• server name (e.g. www.kerio.com). Server name repre

Chapter 12 HTTP and FTP filtering166On the URL Rules tab in Configuration → Content Filtering → HTTP Rules, define a rule by usingimage 12.8 as guidance:

12.5 Web content filtering by word occurrence167Figure 12.9 ISS OrangeWeb Filter categoriesNote:1. You can define multiple URL rules that will use the I

Chapter 12 HTTP and FTP filtering168WarningDefinition of forbidden words and treshold value is ineffective unless corresponding URL rulesare set!Definitio

12.5 Web content filtering by word occurrence169• On the Content Rules tab, check the Deny Web pages containing... option to enablefiltering by word occ

2.3 Installation17WarningIf the FAT32 file system is used, it is not possible to protect WinRoute in the way suggestedabove. For this reason, it is rec

Chapter 12 HTTP and FTP filtering170Individual groups and words included in them are displayed in form of trees. To enablefiltering of particular words

12.6 FTP Policy171WeightWord weight the level of how the word affects possible blocking or allowing of accessto websites. The weight should respect fre

Chapter 12 HTTP and FTP filtering172FTP Rules DefinitionTo create a new rule, select a rule after which the new rule will be added, and click Add. Youca

12.6 FTP Policy173Open the General tab to set general rules and actions to be taken.DescriptionDescription of the rule (information for the administra

Chapter 12 HTTP and FTP filtering174Go to the Advanced tab to define other conditions that must be met for the rule to be appliedand to set advanced opt

12.6 FTP Policy175Scan content for viruses according to scanning rulesUse this option to enable/disable scanning for viruses for FTP traffic which meet

176Chapter 13Antivirus controlWinRoute provides antivirus check of objects (files) transmitted by HTTP, FTP, SMTP and POP3protocols. In case of HTTP an

13.2 How to choose and setup antiviruses177local network — incoming email at the local SMTP server). Check of outgoing trafficcauses problems with tempo

Chapter 13 Antivirus control178Use the Integrated antivirus engine section in the Antivirus tab to set update parameters forMcAfee.Figure 13.2 Antivir

13.2 How to choose and setup antiviruses179Last update check performed ... agoTime that has passed since the last update check.Virus database versionD

Chapter 2 Introduction18Figure 2.2 Disabling colliding system services during installationNote:1. Upon each startup, WinRoute detects automatically wh

Chapter 13 Antivirus control180Use the Options button to set advanced parameters for the selected antivirus. Dialogs for in-dividual antiviruses differ

13.3 HTTP and FTP scanning181network send their email via an SMTP server located in the Internet. Checking of outgoingSMTP traffic is not apt for local

Chapter 13 Antivirus control182To set parameters of HTTP and FTP antivirus check, open the HTTP, FTP scanning tab inConfiguration → Content Filtering →

13.3 HTTP and FTP scanning183WarningWhen handling files in the quarantine directory, please consider carefully each actionyou take, otherwise a virus m

Chapter 13 Antivirus control184Scanning rules are ordered in a list and processed from the top. Arrow buttons on the right canbe used to change the or

13.4 Email scanning185ActionSettings in this section define whether or not the object will be scanned.If the Do not scan alternative is selected, antiv

Chapter 13 Antivirus control186Advanced parameters and actions that will be taken when a virus is detected can be set in theEmail scanning tab.Figure

13.5 Scanning of files transferred via Clientless SSL-VPN187Note: Regardless of what action is set to be taken, the attachment is always removed anda w

Chapter 13 Antivirus control188Figure 13.10 Settings for scanning of files transferred via Clientless SSL-VPNTransfer directionsUse the top section of

189Chapter 14Definitions14.1 IP Address GroupsIP groups are used for simple access to certain services (e.g. WinRoute’s remote administration,Web serve

2.5 WinRoute Engine Monitor19system start-up). It also provides easy access to the Administration Console. For details,refer to chapter 2.5.Note: WinR

Chapter 14 Definitions190Figure 14.2 IP group definitionTypeType of the new item:• Host (IP address or DNS name of a particular host),• Network / Mask (

14.2 Time Intervals191Figure 14.3 WinRoute’s time intervalsTime range typesWhen defining a time interval three types of time ranges (subintervals) can

Chapter 14 Definitions192Figure 14.4 Time range definitionValid at daysDefines days when the interval will be valid. You can either select particular wee

14.3 Services193Figure 14.5 WinRoute’s network servicesClicking on the Add or the Edit button will open a dialog for service definition.Figure 14.6 Net

Chapter 14 Definitions194DescriptionComments for the service defined. It is strongly recommended describing each definition,especially with non-standard

14.3 Services195• Any — all the ports available (1-65535)• Equal to —a particular port (e.g.80)• Greater than, Less than — all ports with a number tha

Chapter 14 Definitions196Note:1. Generally, protocol inspectors cannot be applied to secured traffic (SSL/TLS). In this case,WinRoute “perceives” the tra

14.4 URL Groups197• Search engines — top Internet search engines.• Windows Updates — URL of pages requested for automatic updates of Windows.These URL

Chapter 14 Definitions198Examples:• www.kerio.com/index.html — a particular page• www.*— all URL addresses starting with www. www.*• www.kerio.com — al

199Chapter 15User Accounts and GroupsUser accounts in WinRoute improve control of user access to the Internet from the local net-work. User accounts c

 Kerio Technologies. All Rights Reserved.This guide provides detailed description on the Kerio WinRoute Firewall, version 6.5.1.Improved version. All

Chapter 2 Introduction20Start-up PreferencesWith these options WinRoute Engine and/or WinRoute Engine Monitor applications can beset to be launched au

Chapter 15 User Accounts and Groups200Transparent cooperation with Active Directory (Active Directory mapping)WinRoute can use accounts and groups sto

15.1 Viewing and definitions of user accounts201The searching is helpful especially when the domain includes too many accounts whichmight make it difficu

Chapter 15 User Accounts and Groups202Note: It is also possible to select more than one account by using the Ctrl and Shiftkeys to perform mass change

15.2 Local user accounts203Figure 15.2 Local user accounts in WinRouteStep 1 — basic informationFigure 15.3 Creating a user account — basic parameters

Chapter 15 User Accounts and Groups204WarningThe user name is not case-sensitive. We recommend not to use special characters (non-English languages) w

15.2 Local user accounts205Warning1. Passwords may contain printable symbols only (letters, numbers, punctuationmarks). Password is case-sensitive. We

Chapter 15 User Accounts and Groups206Step 3 — access rightsFigure 15.5 Creating a new user account — user rightsEach user must be assigned one of the

15.2 Local user accounts207is displayed. The unlock feature must also be enabled in the corresponding URL rule (fordetails, refer to chapter 12.2).Use

Chapter 15 User Accounts and Groups208Figure 15.6 Creating a new user account — data transmission quotaCheck the Notify user by email when quota is ex

15.2 Local user accounts209Don’t block further traffic mode• resetting of the data volume counter of the user (see chapter 20.1).2. Actions for quota-ex

2.6 Upgrade and Uninstallation21UninstallationTo uninstall WinRoute, stop all three WinRoute components. The Add/Remove Programsoption in the Control

Chapter 15 User Accounts and Groups210set by using user’s web browser preferences, language set as preferred for the previous user’slogin to the web i

15.3 Local user database: external authentication and import of accounts211Automatic login can be set for the firewall (i.e. for the WinRoute host) or/

Chapter 15 User Accounts and Groups212Active DirectoryUse the Enable Active Directory authentication option to enable/disable user authentication atth

15.3 Local user database: external authentication and import of accounts213Figure 15.10 Configuration of automatic import of user accounts from Active

Chapter 15 User Accounts and Groups214domain type, specify the following parameters:• NT domain — domain name is required for import. The WinRoute hos

15.4 Active Directory domains mapping215Note: The Windows NT domain cannot be mapped as described. In case of the Windows NTdomain, it is recommended

Chapter 15 User Accounts and Groups216Figure 15.13 Active Directory domain mappingDomain AccessIn the Domain Access section, specify the login user na

15.4 Active Directory domains mapping217Figure 15.14 Advanced settings for access to the Active DirectoryNT authentication supportFor the Active Direc

Chapter 15 User Accounts and Groups218One domain is always set as primary. In this domain, all user accounts where the domain isnot specified, will be

15.5 User groups219The following operations will be performed automatically within each conversion:• substitution of any appearance of the local accou

Chapter 2 Introduction222.7 Configuration WizardUsing this Wizard you can define all basic WinRoute parameters. It is started automatically bythe instal

Chapter 15 User Accounts and Groups220DomainUse the Domain option to select a domain for which user accounts or other parameterswill be defined. This i

15.5 User groups221Step 2 — group membersFigure 15.19 Creating a user group — adding user accounts to the groupUsing the Add and Remove buttons you ca

Chapter 15 User Accounts and Groups222The group must be assigned one of the following three levels of access rights:No access to administrationUsers i

223Chapter 16Remote Administration and Update Checks16.1 Setting Remote AdministrationRemote administration can be either permitted or denied by defini

Chapter 16 Remote Administration and Update Checks224HintThe same method can be used to enable or disable remote administration of Kerio MailServerthr

16.2 Update Checking225Check for new versionsUse this option to enable/disable automatic checks for new versions. Checks are per-formed:• 2 minutes af

Chapter 16 Remote Administration and Update Checks226Figure 16.3 Administration Console’s welcome page informing that a new version is available

227Chapter 17Advanced security features17.1 P2P EliminatorPeer-to-Peer (P2P) networks are world-wide distributed systems, where each node can repre-se

Chapter 17 Advanced security features228Figure 17.1 Detection settings and P2P EliminatorCheck the Inform user by email option if you wish that users

17.1 P2P Eliminator229Note:1. If a user who is allowed to use P2P networks (see chapter 15.1) is connected to the fire-wall from a certain host, no P2P

2.7 Configuration Wizard23and administration. Thus WinRoute will enable all traffic between the firewall and the remotehost.Note: Skip this step if you in

Chapter 17 Advanced security features230Number of suspicious connectionsBig volume of connections established from the client host is a typical featur

17.2 Special Security Settings231Figure 17.4 Security options — Anti-Spoofing and cutting down number of connections for one hostAnti-SpoofingAnti-Spoofi

Chapter 17 Advanced security features232Connections count limit is useful especially when a local client host is attacked by a wormor Trojan horse whi

233Chapter 18Other settings18.1 Routing tableUsing Administration Console you can view or edit the system routing table of the host whereWinRoute is r

Chapter 18 Other settings234WarningChanges in the routing table might interrupt the connection between the WinRoute FirewallEngine and the Administrat

18.1 Routing table235Definitions of Dynamic and Static RulesClick on the Add (or Edit when a particular route is selected) button to display a dialog f

Chapter 18 Other settings236If this option is not enabled, the route will be valid only until the operating system isrestarted or until removed manual

18.2 Universal Plug-and-Play (UPnP)237Enable UPnPThis option enables UPnP.WarningIf WinRoute is running on Windows XP, Windows Server 2003, Windows Vi

Chapter 18 Other settings23818.3 Relay SMTP serverWinRoute provides a function which enables notification to users or/and administrators byemail alerts

18.3 Relay SMTP server239be used for reference in recipient’s mail client or for email classification. This is why it isalways recommended to specify s

24Chapter 3WinRoute AdministrationAll Kerio products including WinRoute are administered through the Kerio AdministrationConsole application(an applic

240Chapter 19Status InformationWinRoute activities can be well monitored by the administrator (or by other users with ap-propriate rights). There are

19.1 Active hosts and connected users241Figure 19.1 List of active hosts and users connected to the firewallUserName of the user which is connected fro

Chapter 19 Status Information242ConnectionsTotal number of connections to and from the host. Details can be displayed in the contextmenu (see below)Au

19.1 Active hosts and connected users243User quotaUse this option to show quota of the particular user (Administration Console switches tothe User quo

Chapter 19 Status Information244Login informationInformation on logged-in users:• User — name of a user, DNS name (if available) and IP address of the

19.1 Active hosts and connected users245• FTP — DNS name or IP address of the server, size of downloaded/saved data,information on currently downloade

Chapter 19 Status Information246The following columns are hidden by default. They can be shown through the Modify columnsdialog opened from the contex

19.2 Network connections overview247Figure 19.6 Information on selected host and user — traffic histogramSelect an item from the Time interval combo box

Chapter 19 Status Information248• connections from other hosts to services provided by the host with WinRoute• connections performed by clients within

19.2 Network connections overview249Source, DestinationIP address of the source (the connection initiator) and of the destination. If there is anappro

3.1 Administration Window25Figure 3.1 The main window of Administration Console for WinRouteAdministration Window — Main menuThe main menu provides th

Chapter 19 Status Information250Figure 19.8 Context menu for ConnectionsRefreshThis option will refresh the information in the Connections window imme

19.3 Alerts251For each item either a color or the Default option can be chosen. Default colors are set in theoperating system (the common setting for

Chapter 19 Status Information252This tab provides list of “rules” for alert sending. Use checking boxes to enable/disable indi-vidual rules.Use the Ad

19.3 Alerts253• Connection failover event — the Internet connection has failed and the systemwas switched to a secondary line, or vice versa (it was s

Chapter 19 Status Information254(overview),• the console\details subdirectory — messages displayed at the bottom section ofStatus → Alerts (details),•

19.3 Alerts255Each line provides information on one alert:• Date — date and time of the event,• Alert — event type,• Details — basic information on ev

256Chapter 20Basic statisticsStatistical information about users (volume of transmitted data, used services, categorizationof web pages) as well as of

20.1 Volume of transferred data and quota usage257Figure 20.1 User statisticsNote:1. Optionally, other columns providing information on volume of data

Chapter 20 Basic statistics258WarningBe aware that using this option for the all users item resets counters of all users, includingunrecognized ones!N

20.2 Interface statistics259Figure 20.3 Firewall’s interface statisticsExampleThe WinRoute host connects to the Internet through the Public interface

Chapter 3 WinRoute Administration26• Copy license number to clipboard — copies the license number (the ID licenceitem) to the clipboard. This may be h

Chapter 20 Basic statistics260Reset interface statisticsThis option resets statistics of the selected interface. It is available only if the mousepoin

20.2 Interface statistics261Figure 20.5 Chart informing about average throughput at the interfaceExampleSuppose the 1 day interval is selected. Then,

262Chapter 21Kerio StaR — statistics and reportingThe WinRoute’s web interface provides detailed statistics on users, volume of transferred data,visit

21.1 Monitoring and storage of statistic data263The statistics use data from the main database. This implies that current traffic of individualusers is

Chapter 21 Kerio StaR — statistics and reporting264The following example addresses case of a mapped web server accessible from the Internet.Any (anony

21.2 Settings for statistics and quota265Enable/disable gathering of statistic dataThe Gather Internet Usage statistics option enables/disables all st

Chapter 21 Kerio StaR — statistics and reporting266Statistics and quota exceptionsOn the Exceptions tab, it is possible to define exceptions for statis

21.3 Connection to StaR and viewing statistics267For details on IP groups, see chapter 14.1.Users and groupsSelect users and/or user groups which will

Chapter 21 Kerio StaR — statistics and reporting268Note: Within local systems, secured traffic would be useless and the browser would botheruser with ne

21.3 Connection to StaR and viewing statistics269WarningIn case of access via the Internet (i.e. from a remote host) it is recommended to use only the

3.2 View Settings27Detection of WinRoute Firewall Engine connection drop-outAdministration Console is able to detect the connection failure automatica

Chapter 21 Kerio StaR — statistics and reporting270Printable versionAny page of the StaR interface can be converted to a printable version. For this p

21.4 Accounting period271Figure 21.7 Selection of accounting periodFigure 21.8 Custom accounting periodThe starting and ending day can be defined manua

Chapter 21 Kerio StaR — statistics and reporting27221.5 Overall ViewThe Overall tab provides overall statistics for all users within the local network

21.5 Overall View273Figure 21.10 Chart of top visited web domainsTop Requested Web CategoriesThis chart shows top five web categories requested in the

Chapter 21 Kerio StaR — statistics and reporting274Figure 21.12 Top 5 users statisticster 10.1.HintThe way of users’ names are displayed in the table

21.5 Overall View275For better reference, WinRoute sorts protocols to predefined classes:• Web — HTTP and HTTPS protocols and any other traffic served by

Chapter 21 Kerio StaR — statistics and reporting27621.6 User statisticsThe Individual tab allows showing of statistics for a selected user.First, sele

21.7 Users’ Activity27721.7 Users’ ActivityThe Users’ Activity tab allows showing of detailed information on “browsing activities” of in-dividual user

Chapter 21 Kerio StaR — statistics and reporting278• Updating data in StaR — to WinRoute, gathering and evaluation of information forStaR means proces

21.7 Users’ Activity279The header informs about the total number of visited web pages in the selected periodand the total number of web searches. WinR

Chapter 3 WinRoute Administration28Figure 3.4 Column customization in InterfacesThis dialog offers a list of all columns available for a corresponding

Chapter 21 Kerio StaR — statistics and reporting280The header informs about number of detected email messages and total volume of datatransferred by e

21.7 Users’ Activity281The header informs about total number of recognized files, total volume of transferreddata (in both directions), data transferre

Chapter 21 Kerio StaR — statistics and reporting282rules — e.g. by browsing through banned web pages on a remote host or by transferringforbidden files

21.9 Top Visited Websites283Figure 21.23 The Users by Traffic tableHintThe way of users’ names are displayed in the table can be set in the Administrati

Chapter 21 Kerio StaR — statistics and reporting284Figure 21.24 Top visited web domainsthe particular domain (the www prefix is attached to the domain

21.10 Top Requested Web Categories285Figure 21.26 Table of top active users for the particular domainHintThe way of users’ names are displayed in the

Chapter 21 Kerio StaR — statistics and reporting286Below the chart, detailed statistics for each of top ten visited web categories are shown:• The hea

21.10 Top Requested Web Categories287HintThe way of users’ names are displayed in the table can be set in the Administration Console,in section Accoun

288Chapter 22LogsLogs are files where history of certain events performed through or detected by WinRoute arerecorded and kept. Each log is displayed i

22.1 Log settings289Figure 22.1 Log settingsFile LoggingUse the File Loggingtab to define file name and rotation parameters.Enable logging to fileUse thi

29Chapter 4Product Registration and LicensingWhen purchased, Kerio WinRoute Firewall must be registered, Upon registration of the product,so called li

Chapter 22 Logs290Figure 22.2 File logging settingsKeep at most ... log file(s)Maximal count of log files that will be stored. Whenever the threshold is

22.2 Logs Context Menu291Figure 22.3 Syslog settingsSyslog serverDNS name or IP address of the Syslog server.FacilityFacility that will be used for th

Chapter 22 Logs292CopyCopies the selected text onto the clipboard. A key shortcut from the operating systemcan be used (Ctrl+C or Ctrl+Insert in Windo

22.2 Logs Context Menu293HighlightingHighlighting may be set for logs meeting certain criteria (for details, see below).Select fontWithin this dialog

Chapter 22 Logs294Figure 22.6 Log highlighting settingsFigure 22.7 Highlighting rule definitionEach highlighting rule consists of a condition and a col

22.3 Alert Log295The Debug log advanced settingsSpecial options are available in the Debug log context menu. These options are available onlyto users

Chapter 22 Logs2962. Configuration database changesChanges performed in the Administration Console. A simplified form of the SQL languageis used when co

22.5 Connection Log29722.5 Connection LogThe Connection log gathers information about traffic matching traffic rules with the Log match-ing connections en

Chapter 22 Logs29822.6 Debug LogDebug (debug information) is a special log which can be used to monitor certain kinds ofinformation, especially for pr

22.7 Dial Log299Figure 22.9 Selection of information monitored by the Debug log• WinRoute services — protocols processed by WinRoute services (DHCP se

3Contents1 Quick Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 4 Product Registration and Licensing30McAfee licenseThis license is defined by the two following dates:• update right expiration date (independ

Chapter 22 Logs300The first log item is reported upon initialization of dialing. The log always includesWinRoute name of the dialed line (see chapter 5

22.8 Error Log301Another event is logged upon a successful connection (i.e. when the line is dialed, uponauthentication on a remote server, etc.).5. O

Chapter 22 Logs302Each record in the Error log contains error code and sub-code as two numbers in parentheses(x y). The error code (x) may fall into o

22.9 Filter Log30322.9 Filter LogThis log gathers information on web pages and objects blocked/allowed by the HTTP and FTPfilters (see chapters 12.2 an

Chapter 22 Logs304• Local traffic — the name of the traffic rule that was matched by the packet• packet to — packet direction (either to or from a parti

22.10 Http log305An example of an HTTP log record in the Apache format192.168.64.64 - jflyaway[18/Apr/2008:15:07:17 +0200]"GET http://www.kerio.c

Chapter 22 Logs306• DIRECT — the WWW server access method (WinRoute always uses DIRECT access)• 206.168.0.9 — IP address of the WWW server22.11 Securi

22.12 Sslvpn Log307Example 1[17/Jul/2008 11:55:14] FTP: Bounce attack attempt:client: 1.2.3.4, server: 5.6.7.8,command: PORT 10,11,12,13,14,15(attack

Chapter 22 Logs308Example[17/Mar/2008 08:01:51] Copy File: User: [email protected]: ’\\server\data\www\index.html’22.13 Warning LogThe Warning lo

22.14 Web Log309Note: With the above three examples, the relevant records will also appear in the Securitylog.22.14 Web LogThis log contains all HTTP

4.2 License information31Figure 4.1 Administration Console welcome page providing license informationCopyrightCopyright information.HomepageLink to th

310Chapter 23Kerio VPNWinRoute enables secure interconnection of remote private networks using an encrypted tun-nel and it provides clients secure acc

23.1 VPN Server Configuration311• No special user accounts must be created for VPN clients. User accounts in WinRoute(or domain accounts if the Active

Chapter 23 Kerio VPN312Figure 23.2 VPN server settings — basic parametersEnable VPN serverUse this option to enable /disable VPN server. VPN server us

23.1 VPN Server Configuration313It is recommended to check whether IP collision is not reported after each change inconfiguration of the local network o

Chapter 23 Kerio VPN314DNSFigure 23.4 VPN server settings — specification of DNS serversSpecify a DNS server which will be used for VPN clients:• Use W

23.1 VPN Server Configuration315Figure 23.5 VPN server settings — server port and routes for VPN clientsupon clicking on the Apply button:(4103:10048)

Chapter 23 Kerio VPN31623.2 Configuration of VPN clientsThe following conditions must be met to enable connection of remote clients to local networksvi

23.3 Interconnection of two private networks via the Internet (VPN tunnel)317items). To generate the rules automatically, select Yes, I want to use Ke

Chapter 23 Kerio VPN318Figure 23.7 VPN tunnel configurationThe passive mode is only useful when the local end of the tunnel has a fixed IPaddress and wh

23.3 Interconnection of two private networks via the Internet (VPN tunnel)319Figure 23.8 VPN tunnel — certificate fingerprintsIf the local endpoint is s

Chapter 4 Product Registration and Licensing32CompanyName of the company (or a person) to which the product is registered.Depending on the current lic

Chapter 23 Kerio VPN320Routing settingsOn the Advanced tab, you can set which method will be used to add routes provided by theremote endpoint of the

23.3 Interconnection of two private networks via the Internet (VPN tunnel)321Connection establishmentActive endpoints automatically attempt to recover

Chapter 23 Kerio VPN322Figure 23.11 Common traffic rules for VPN tunnel2. Traffic rules set by this method allow full IP communication between the local n

23.5 Example of Kerio VPN configuration: company with a filial office323sions, custom routes are used as prior. This option easily solves the problem wher

Chapter 23 Kerio VPN324networks). Configuration of VPN with redundant routes (typically in case of a company withtwo or more filials) is described in ch

23.5 Example of Kerio VPN configuration: company with a filial office325Suppose that both networks are already deployed and set according to the figure and

Chapter 23 Kerio VPN326local hosts into the hosts file (if they use IP addresses) or enable cooperation of the DNSForwarder with the DHCP server (in ca

23.5 Example of Kerio VPN configuration: company with a filial office327Figure 23.13 Headquarters — no restrictions are applied to accessing the Internet

Chapter 23 Kerio VPN328When the VPN tunnel is created, customize these rules according to the restriction re-quirements (see item 6).Note: To keep the

23.5 Example of Kerio VPN configuration: company with a filial office329• Set the IP address of this interface (10.1.1.1) as a primary DNS server for theW

4.3 Registration of the product in the Administration Console33Clicking on Become a registered trial user launches the registration wizard.1. On the fi

Chapter 23 Kerio VPN330Figure 23.19 Headquarters — VPN server configurationFor a detailed description on the VPN server configuration, refer to chapter

23.5 Example of Kerio VPN configuration: company with a filial office3315. Create a passive end of the VPN tunnel (the server of the branch office uses a dy

Chapter 23 Kerio VPN332Figure 23.21 Headquarter — final traffic rules• Add the Company headquarters rule allowing connections from both headquar-ters sub

23.5 Example of Kerio VPN configuration: company with a filial office333In this case, it would be meaningless to create rules for the Kerio VPN server and

Chapter 23 Kerio VPN334Figure 23.25 Filial office — DNS forwarder configurationFigure 23.26 Filial office — DNS forwarding settings• Set the IP address of

23.5 Example of Kerio VPN configuration: company with a filial office335Figure 23.27 Filial office — TCP/IP configuration ata firewall’s interface connected t

Chapter 23 Kerio VPN336(newyork.company.com). Use the fingerprint of the VPN server of the headquarters as aspecification of the fingerprint of the remot

23.6 Example of a more complex Kerio VPN configuration3376. Add the new VPN tunnel into the Local Traffic rule. It is also possible to remove the Dial-In

Chapter 23 Kerio VPN338tunnels (so called triangle pattern). This example can be then adapted and applied to anynumber of interconnected private netwo

23.6 Example of a more complex Kerio VPN configuration339Note: For every installation of WinRoute, a stand-alone license for the corresponding num-ber

Chapter 4 Product Registration and Licensing34Figure 4.3 Trial version registration — user informationFigure 4.4 Trial version registration — other in

Chapter 23 Kerio VPN3407. Allow traffic between the local and the remote networks. To allow any traffic, just add thecreated VPN tunnels to the Source and

23.6 Example of a more complex Kerio VPN configuration341In step 5, select Create rules for Kerio VPN server. Status of the Create rules for KerioClien

Chapter 23 Kerio VPN342• Enable the Use custom forwarding option and define rules for names in thefilial1.company.com and filial2.company.com domains.

23.6 Example of a more complex Kerio VPN configuration343Figure 23.37 Headquarter — TCP/IP configuration ata firewall’s interface connected to the local

Chapter 23 Kerio VPN3444. Enable the VPN server and configure its SSL certificate (create a self-signed certificate if nocertificate provided by a certific

23.6 Example of a more complex Kerio VPN configuration3455. Create a passive endpoint of the VPN tunnel connected to the London filial. Use the fin-gerpr

Chapter 23 Kerio VPN346Figure 23.40 The headquarters — routing configuration for the tunnel connected to the London filialWarningIn case that the VPN co

23.6 Example of a more complex Kerio VPN configuration3476. Use the same method to create a passive endpoint for the tunnel connected to the Parisfilial

Chapter 23 Kerio VPN348Figure 23.42 The headquarters — routing configuration for the tunnel connected to the Paris filialFigure 23.43 Headquarter — final

23.6 Example of a more complex Kerio VPN configuration349Configuration of the London filial1. Install WinRoute (version 6.1.0 or higher) at the default g

4.3 Registration of the product in the Administration Console35Figure 4.5 Registration of the trial version — summaryFigure 4.6 Trial version registra

Chapter 23 Kerio VPN350warded (primary and secondary DNS server of the Internet connection providerby default).Figure 23.46 The London filial office — de

23.6 Example of a more complex Kerio VPN configuration351• Set the IP address of this interface (172.16.1.1) as a primary DNS server for theWinRoute ho

Chapter 23 Kerio VPN352our example, the ping gw-newyork.company.com command can be used at the Londonbranch office server.Figure 23.50 The London filial

23.6 Example of a more complex Kerio VPN configuration353Figure 23.51 The London filial — routing configuration for the tunnel connected to the headquart

Chapter 23 Kerio VPN3546. Create a passive endpoint of the VPN tunnel connected to the Paris filial. Use the finger-print of the VPN server of the Paris

23.6 Example of a more complex Kerio VPN configuration355Figure 23.53 The London filial — routing configurationfor the tunnel connected to the Paris bran

Chapter 23 Kerio VPN356Configuration of the Paris filial1. Install WinRoute (version 6.1.0 or higher) at the default gateway of the filial’s network.2. U

23.6 Example of a more complex Kerio VPN configuration3573. Customize DNS configuration as follows:• In configuration of the DNS Forwarder in WinRoute, s

Chapter 23 Kerio VPN358Note: The VPN network and Mask entries now include an automatically selected free sub-net. Check whether this subnet does not c

23.6 Example of a more complex Kerio VPN configuration3595. Create an active endpoint of the VPN tunnel which will connect to the headquarters server(n

Chapter 4 Product Registration and Licensing36Registration of the purchased productFollow the Register product with a purchased license number link to

Chapter 23 Kerio VPN360Paris branch office server.Figure 23.61 The Paris filial — routing configuration for the tunnel connected to the headquarters

23.6 Example of a more complex Kerio VPN configuration3616. Create an active endpoint of the tunnel connected to London (servergw-london.company.com).

Chapter 23 Kerio VPN362Figure 23.63 The Paris filial — routing configurationfor the tunnel connected to the London branch officeFigure 23.64 The Paris fili

363Chapter 24Kerio Clientless SSL-VPNKerio Clientless SSL-VPN (thereinafter “SSL-VPN”) is a special interface used for secured remoteaccess to shared

Chapter 24 Kerio Clientless SSL-VPN364Click Advanced to open a dialog where port and SSL certificate for SSL-VPN can be set.Figure 24.2 Setting of TCP

24.2 Usage of the SSL-VPN interface36524.2 Usage of the SSL-VPN interfaceFor access to the interface, most of common graphical web browsers can be use

Chapter 24 Kerio Clientless SSL-VPN366• If it is a mapped Active Directory domain which is not set as pri-mary, the domain must be included in the use

24.2 Usage of the SSL-VPN interface367Right under the navigation tree, actions available for the specified location (i.e. for the se-lected item or fol

Chapter 24 Kerio Clientless SSL-VPN368Figure 24.6 Clientless SSL-VPN — new bookmarkExamples of operations with files and foldersIn this section, severa

24.2 Usage of the SSL-VPN interface369Figure 24.8 Clientless SSL-VPN — destination path (folder) selectionFigure 24.9 Clientless SSL-VPN — copying or

4.3 Registration of the product in the Administration Console37Figure 4.8 Product registration — license numbersof additional components, add-ons and

Chapter 24 Kerio Clientless SSL-VPN370a standard download dialog.It is not possible to download whole folders or multiple files at a time.Uploading file

371Chapter 25Specific settings and troubleshootingThis chapter provides description of advanced features and specific configurations of the fire-wall. It

Chapter 25 Specific settings and troubleshooting372For details on traffic between the WinRoute Firewall Engine and theAdministration Console, refer to Ke

25.1 Configuration Backup and Transfer373starThe star directory includes a complete database for statistics of the WinRoute web inter-face.Handling con

Chapter 25 Specific settings and troubleshooting3748. Use a plaintext editor (e.g. Notepad) to open the winroute.cfg configuration file. Go tothe followi

25.2 Automatic user authentication using NTLM375Note: The method described above includes a complete “clone” of WinRoute on a new host.Some of the ste

Chapter 25 Specific settings and troubleshooting376Figure 25.1 NTLM — user authentication optionsFigure 25.2 Setting of NT authentication for local use

25.2 Automatic user authentication using NTLM377Figure 25.4 Configuration of WinRoute’s Web InterfaceWeb browsersFor proper functioning of NTLM, a brow

Chapter 25 Specific settings and troubleshooting378Firefox/SeaMonkeyThe browser displays the login dialog. For security reasons, automatic user authent

25.3 FTP on WinRoute’s proxy server379Terminal FTP clients (such as the ftp command in Windows or Linux) do not allow config-uration of the proxy serve

Chapter 4 Product Registration and Licensing38Figure 4.9 Product registration — user information4. Page four includes optional information. Is is not

Chapter 25 Specific settings and troubleshooting380HintTo configure web browsers, you can use a configuration script or the automatic detection ofconfigur

25.4 Internet links dialed on demand381HintThe defined proxy server is indexed and saved to the list of proxy servers automatically. Later,whenever you

Chapter 25 Specific settings and troubleshooting382net would be routed via this interface (no matter where it is actually connected to) andWinRoute wou

25.4 Internet links dialed on demand383will be dialed upon a client’s DNS query. If a local DNS server is used, the line will bedialed upon a query se

Chapter 25 Specific settings and troubleshooting384To avoid unintentional dialing based on DNS requests, WinRoute allows definition of ruleswhere DNS na

25.4 Internet links dialed on demand385Activate the Enable dialing for local DNS names option in the Other settings tab to enablethis (at the top of t

386Chapter 26Technical supportFree email and telephone technical support is provided for Kerio WinRoute Firewall. For con-tacts, see the end of this c

26.2 Tested in Beta version387The text file will be stored in the home directory of the logged user.(e.g. C:\Documents and Settings\Administrator)as ke

Chapter 26 Technical support388USAKerio Technologies Inc.111 W. Saint John Street, Suite 1100San Jose, CA 95113Phone: +1 408 496 4500http://www.kerio.

389Appendix ALegal NoticesMicrosoft, Windows, Windows NT, Windows Vista, Internet Explorer, ActiveX, and ActiveDirectoryare trademarks or regis

4.3 Registration of the product in the Administration Console39Figure 4.10 Product registration — other informationFigure 4.11 Product registration —

390Appendix BUsed open-source librariesKerio WinRoute Firewall contains the following open-source libraries:bindlibCopyright 1983, 1993 The Regents o

391PHPCopyright  1999-2006 The PHP Group. All rights reserved.This product includes PHP software, freely availablefrom http://www.php.net/software/.p

392Glossary of termsActiveXThis Microsoft’s proprietary technology is used for creation of dynamic objects for webpages. This technology provides many

393DMZDMZ (demilitarized zone) is a reserved network area where services available both fromthe Internet and from the LAN are run (e.g. a company’s pu

Glossary of terms394IdentThe Ident protocol is used for identification of user who established certain TCP connec-tion from a particular (multi-user) s

395will be redirected to this host. Packets that do not match with any record in theNAT table will be dropped.• destination address translation (Desti

Glossary of terms396Ports 1-1023 are reserved and used by well known services (e.g. 80 = WWW). Ports above1023 can be freely used by any application.P

397Routing tableThe information used by routers when making packet forwarding decisions (so calledroutes). Packets are routed according to the packet’

Glossary of terms398• RST (Reset) — request on termination of a current connection and on initiationof a new one• URG (Urgent) — urgent packet• PSH (P

399IndexAActive Directory 205, 212automatic import of accounts 212domain mapping 214import of user accounts 213multiple domains mapping 217administrat

47.9 Media hairpinning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1008 Configuration of

Chapter 4 Product Registration and Licensing404.4 Product registration at the websiteIf, by any reason, registration of WinRoute cannot be performed f

Index400forwarding rules 104hosts file 106local domain 107dynamic DNS 118FFTP 154, 195, 378filtering rules 171full cone NAT 83Ggroupsinterface throughpu

401web 309Mmedia hairpinning 100multihoming 90NNAT 81, 87full cone NAT 83, 98NT domain 212import of user accounts 213NTLM 137, 139, 212configuration of

Index402top visited websites 283user groups 256users’ activity 277volume of transferred data 282status information 240active hosts 240connections 247s

403security center 18Windows Firewall 17, 18WinRoute Engine Monitor 18, 19WinRoute Firewall Engine 18wizardconfiguration 22traffic rules 67

404

4.5 Subscription / Update Expiration41Administrators are informed in two ways:• By a pop-up bubble tip (this function is featured by the WinRoute Engi

Chapter 4 Product Registration and Licensing42Figure 4.13 The notice that the subscription has already expired4.6 User counterThis chapter provides a

4.6 User counter43The following items are considered as clients:1. All hosts from which users are connected to the firewall2. All clients of the WinRou

44Chapter 5Network interfacesWinRoute is a network firewall. This implies that it represents a gateway between two or morenetworks (typically between t

45change of a network adapter etc., there is no need to edit traffic rules — simple adding of thenew interface in the correct group will do.In WinRoute,

Chapter 5 Network interfaces46IP Address and MaskIP address and the mask of this interface’s subnet.If the more IP addresses are set for the interface

47Figure 5.2 Editing interfacesRemoveRemoves the selected interface from WinRoute. This can be done under the followingconditions:• the interface is a

Chapter 5 Network interfaces48handle the line by hand.Note: You can use WinRoute’s web interface (see chapter 11) to dial or hang uplines.• For VPN tu

49Chapter 6Internet ConnectionThe basic function of WinRoute is connection of the local network to the Internet via one ormore Internet connections (I

515 User Accounts and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19915.1 Viewing and

Chapter 6 Internet Connection50This involves selection of the Internet connection type in the Configuration → Interfaces sec-tion of the WinRoute config

6.1 Persistent connection with a single link51Figure 6.1 Traffic Policy Wizard — persistent connection with a single linkFigure 6.2 Network Policy Wizar

Chapter 6 Internet Connection52Resulting interface configurationWhen you finish set-up in Traffic Policy Wizard, the resulting configuration can be viewedu

6.2 Connection with a single leased link — dial on demand536.2 Connection with a single leased link — dial on demandIf the WinRoute host is connected

Chapter 6 Internet Connection54Figure 6.4 Traffic Policy Wizard — dial on demandFigure 6.5 Network Policy Wizard — selection of an interface for the Int

6.2 Connection with a single leased link — dial on demand55Figure 6.6 Configuration of interfaces — an on-demand dial linkpackets to the corresponding

Chapter 6 Internet Connection56Figure 6.7 Interface properties — dialing settingsFor these purposes, it is possible to set time intervals for persiste

6.2 Connection with a single leased link — dial on demand57connection is recovered automatically.• If the connection is set to be hung-up at the momen

Chapter 6 Internet Connection58WarningWinRoute is running in the operating system as a service. Therefore, external applica-tions and operating system

6.3 Connection Failover59a new default route via this link which allows us to test Internet connection on thesecondary link.• In case of two leased li

622.4 Config Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29522.5 Conn

Chapter 6 Internet Connection60Figure 6.10 Traffic Policy Wizard — failover of a leased link by a dial-upResulting interface configurationWhen you finish

6.3 Connection Failover61The Internet interfaces group includes the Internet and the Dial-up link selected as primary andsecondary (failover) on the t

Chapter 6 Internet Connection62Note:1. Probe hosts must not block ICMP Echo Requests (PING) since such requests are used to testavailability of these

6.4 Network Load Balancing63Both the primary and the secondary link may be configured automatically by the DHCP proto-col. In that case, WinRoute looks

Chapter 6 Internet Connection64On the third page of the wizard, add all links (one by one) which you intend to use for trafficload balancing.Figure 6.14

6.4 Network Load Balancing65Resulting interface configurationWhen you finish set-up in Traffic Policy Wizard, the resulting configuration can be viewedunde

Chapter 6 Internet Connection66Advanced settings (optimization, dedicated links, etc.)In basic configuration, network load balancing is applied automat

67Chapter 7Traffic PolicyTraffic Policy belongs to of the basic WinRoute configuration. All the following settings aredisplayed and can be edited within th

Chapter 7 Traffic Policy68Step 1 — informationFigure 7.1 Traffic Policy Wizard — introductionTo run successfully, the wizard requires the following parame

7.1 Network Rules Wizard69Step 4 — Internet access limitationsSelect which Internet services will be available for LAN users:Figure 7.2 Network Policy

7Chapter 1Quick ChecklistIn this chapter you can find a brief guide for a quick setup of “Kerio WinRoute Firewall” (calledbriefly “WinRoute” in further

Chapter 7 Traffic Policy70Kerio VPN and it can be used along with a third-party VPN solution. For detailed information,see chapter 24.Figure 7.3 Network

7.1 Network Rules Wizard71Figure 7.5 Network Policy Wizard — mapping of the local serviceService is running onSelect a computer where the correspondin

Chapter 7 Traffic Policy72Rules Created by the WizardThe traffic policy is better understood through the traffic rules created by the Wizard in theprevious

7.1 Network Rules Wizard73These rules are not created unless the option allowing access to a particular service isenabled in step 5.Note: In these rul

Chapter 7 Traffic Policy74Firewall TrafficThis rule enables access to certain services from the WinRoute host. It is similar to theNAT rule except from th

7.3 Definition of Custom Traffic Rules75NameName of the rule. It should be brief and unique. More detailed information can be included inthe Description

Chapter 7 Traffic Policy76Figure 7.9 Traffic rule — source address definitionWarningIf either the source or the destination computer is specified by DNS nam

7.3 Definition of Custom Traffic Rules77Figure 7.10 Traffic rule — selecting an interface of a group of interfacesNote: Only the Internet interfaces and th

Chapter 7 Traffic Policy78Figure 7.12 Traffic rule — users and groups in the source/destination address definitionHintUsers/groups from various domains can

7.3 Definition of Custom Traffic Rules79Use the Any button to replace all defined items with the Any item (this item is also used bydefault for all new ru

Chapter 1 Quick Checklist89. Select an antivirus and define types of objects that will be scanned. If you choose theintegrated McAfee antivirus applica

Chapter 7 Traffic Policy80Use the Any button to replace all defined items with the Any item (this item is also used bydefault for all new rules). Wheneve

7.3 Definition of Custom Traffic Rules81Note: It is recommended to use the Deny option to limit the Internet access for local users andthe Drop option to

Chapter 7 Traffic Policy82If WinRoute works in the mode of network traffic load balancing (see chapter 6.4), youcan select a method which will be used for

7.3 Definition of Custom Traffic Rules83Figure 7.16 Traffic rule — NAT — NAT with specific interface (its IP address)any other address is used (including ev

Chapter 7 Traffic Policy84are let in. This translation method guarantees high security — the firewall will not let in anypacket which is not a response t

7.3 Definition of Custom Traffic Rules85Figure 7.18 Traffic rule — destination address translation• No Translation — destination address will not be modifie

Chapter 7 Traffic Policy86• Log matching packets — all packets matching with rule (permitted, denied or dropped,according to the rule definition) will be

7.4 Basic Traffic Rule Types87• Default — all necessary protocol inspectors (or inspectors of the services listed in theService entry) will be applied o

Chapter 7 Traffic Policy88DestinationThe Internet interfaces group. With this group, the rule is usable for any type of Internetconnection (see chapter

7.4 Basic Traffic Rule Types89Figure 7.23 Traffic rule that makes the local web server available from the InternetSourceMapped services can be accessed by

9Chapter 2Introduction2.1 Kerio WinRoute FirewallKerio WinRoute Firewall 6.0 is a complex tool for connection of the local network to the Internetand

Chapter 7 Traffic Policy90dropped. Therefore, it is recommended to put all rules for mapped services at the top ofthe table of traffic rules.Note: If ther

7.4 Basic Traffic Rule Types91Limiting Internet AccessSometimes, it is helpful to limit users access to the Internet services from the local network.Acc

Chapter 7 Traffic Policy92Alternatively you can define the rule to allow only authenticated users to access specificservices. Any user that has a user acc

7.5 Policy routing937.5 Policy routingIf the LAN is connected to the Internet by multiple links with load balancing (see chapter 6.4),it may be needed

Chapter 7 Traffic Policy94Setting of NAT in the rule for email services is shown in figure 7.31. It is recommended toallow use of a back-up link for case

7.6 User accounts and groups in traffic rules95Example: Optimization of network traffic load balancingWinRoute provides two options of network traffic load

Chapter 7 Traffic Policy96Figure 7.34 This traffic rule allows only selected users to connect to the InternetSuch a rule enables the specified users to con

7.7 Partial Retirement of Protocol Inspector97User not authenticated yet who attempts to open a Web site will be automatically redirectedto the authen

Chapter 7 Traffic Policy98Figure 7.37 Service definition without inspector protocolFigure 7.38 This traffic rule allows accessing service without protocol

7.8 Use of Full cone NAT99Example: SIP telephone in local networkIn the local network, there is an IP telephone registered to an SIP server in the Int