Go to page of
A good user manual
The rules should oblige the seller to give the purchaser an operating instrucion of Kerio Tech 6, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.
What is an instruction?
The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of Kerio Tech 6 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.
Unfortunately, only a few customers devote their time to read an instruction of Kerio Tech 6. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.
What should a perfect user manual contain?
First and foremost, an user manual of Kerio Tech 6 should contain: 
							 - informations concerning technical data of Kerio Tech 6 
							 - name of the manufacturer and a year of construction of the Kerio Tech 6 item 
							 - rules of operation, control and maintenance of the Kerio Tech 6 item 
							 - safety signs and mark certificates which confirm compatibility with appropriate standards 
Why don't we read the manuals?
Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of Kerio Tech 6 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of Kerio Tech 6, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the Kerio Tech service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of Kerio Tech 6.
Why one should read the manuals?
It is mostly in the manuals where we will find the details concerning construction and possibility of the Kerio Tech 6 item, and its use of respective accessory, as well as information concerning all the functions and facilities.
After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.
Table of contents for the manual
- 
                            Page 1Ker io WinR o ut e Fi r e w al l 6 Administrator’s Guide Kerio Technologies s.r.o.[...] 
- 
                            Page 2 Kerio Technologies s.r.o. All rights reserved. This guide provides detailed description on configuration and administration of Kerio WinRoute Firewall , version 6.7.1 . All additional modifications and updates reserved. User interfaces Kerio StaR and Kerio Clientless SSL-VPN are focused in a standalone document, Kerio WinRoute Firewall — Us[...] 
- 
                            Page 33 Contents 1 Quick Checklist ................................................................ 7 2 Introduction ................................................................... 9 2.1 What’s new in 6.7.1 ....................................................... 9 2.2 Conflicting software ..................................................... 1 0 2[...] 
- 
                            Page 44 7.5 Policy routing ........................................................... 9 5 7.6 User accounts and groups in traffic rules ................................. 9 8 7.7 Partial Retirement of Protocol Inspector .................................. 9 9 7.8 Use of Full cone NAT .................................................. 1 0 1 7.9 Media hairp[...] 
- 
                            Page 55 15 User Accounts and Groups ................................................... 1 9 0 15.1 Viewing and definitions of user accounts ............................... 1 9 1 15.2 Local user accounts .................................................... 1 9 3 15.3 Local user database: external authentication and import of accounts . . . . . 203 15.4 U[...] 
- 
                            Page 66 22.9 Filter Log .............................................................. 2 7 6 22.10 Http log ............................................................... 2 7 7 22.11 Security Log ........................................................... 2 7 8 22.12 Sslvpn Log ............................................................ 2 8 0 22.13 War[...] 
- 
                            Page 77 Chapter 1 Quick Checklist In this chapter you can find a brief guide for a quick setup of Kerio WinRoute Firewall (referred to as “ WinRoute ” within this document). After this setup the firewall should be immediately available and able to share your Internet connection and protect your local network. For a detailed guide refer to the separ[...] 
- 
                            Page 8Chapter 1 Quick Checklist 8 9. Select an antivirus and define types of objects that will be scanned. If you choose the integrated McAfee antivirus application, check automatic update settings and edit them if necessary. External antivirus must be installed before it is set in WinRoute , otherwise it is not available in the combo box. 10. Using one[...] 
- 
                            Page 99 Chapter 2 Introduction 2.1 What’s new in 6.7.1 In version 6.7.1, WinRoute brings the following new features: Kerio WinRoute Firewall Software Appliance / VMware Virtual Appliance Kerio WinRoute Firewall is now available as a so called software appliance ( Software Ap- pliance / VMware Virtual Appliance ). This appliance is distributed as a full[...] 
- 
                            Page 10Chapter 2 Introduction 10 Support for Windows 7 Kerio WinRoute Firewall now includes full support for the new operating system Microsoft Windows 7 . 2.2 Conflicting software WinRoute can be run with most of common applications. However, there are certain applica- tions that should not be run at the same host as WinRoute for this could result in co[...] 
- 
                            Page 112.3 System requirements 11 • 53/UDP — DNS module, • 67/UDP — DHCP server , • 1900/UDP — the SSDP Discovery service, • 2869/TCP — the UPnP Host service. The SSDP Discovery and UPnP Host services are included in the UPnP support (refer to chapter 18.2 ). • 44333/TCP+UDP — traffic between Kerio Administration Console and WinRoute F[...] 
- 
                            Page 12Chapter 2 Introduction 12 • 50 MB free disk space for installation of Kerio WinRoute Firewall . • Disk space for statistics (see chapter 21 ) and logs (in accordance with traffic flow and logging level — see chapter 22 ). • to keep the installed product (especially its configuration files) as secure as possible, it is recommended to use [...] 
- 
                            Page 132.4 Installation - Windows 13 Note: 1. WinRoute installation packages include the Kerio Administration Console . The separate Kerio Administration Console installation package (file kerio-kwf-admin * .exe ) is de- signed for full remote administration from another host. This package is identical both for 32-bit and 64-bit Windows systems. For deta[...] 
- 
                            Page 14Chapter 2 Introduction 14 Figure 2.1 Installation — customization by selecting optional components • Kerio WinRoute Firewall Engine — core of the application. • VPN Support — proprietary VPN solution developed by Kerio Technologies ( Kerio VPN ). • Administration Console — the Kerio Administration Console application (universal con- s[...] 
- 
                            Page 152.4 Installation - Windows 15 • all checked components will be installed or updated, • all checked components will not be installed or will be removed During an update, all components that are intended to remain must be ticked. 2. The installation program does not allow to install the Administration Console separately. Installation of the Admin[...] 
- 
                            Page 16Chapter 2 Introduction 16 2. Universal Plug and Play Device Host and SSDP Discovery Service The services support UPnP (Universal Plug and Play) in the Windows XP , Windows Server 2003 , Windows Vista and Windows Server 2008 operating systems. However, these services collide with the UPnP support in WinRoute (refer to chapter 18.2 ). The WinRoute in[...] 
- 
                            Page 172.5 Initial configuration wizard (Windows) 17 warning log. This helps assure that the service will be enabled/started immediately after the WinRoute installation. 2. On Windows XP Service Pack 2 , Windows Server 2003 , Windows Vista and Windows Server 2008 , WinRoute registers in the Security Center automatically. This implies that the Security Ce[...] 
- 
                            Page 18Chapter 2 Introduction 18 Password and its confirmation must be entered in the dialog for account settings. Name Admin can be changed in the Username edit box. Note: If the installation is running as an upgrade, this step is skipped since the administrator account already exists. Remote Access Immediately after the first WinRoute Firewall Engine [...] 
- 
                            Page 192.6 Upgrade and Uninstallation - Windows 19 Enable remote access This option enables full access to the WinRoute computer from a selected IP address Remote IP address IP address of the computer from where you will be connecting (e.g. terminal services client). This field must contain an IP address. A domain name is not allowed. Warning The remote [...] 
- 
                            Page 20Chapter 2 Introduction 20 Figure 2.5 Uninstallation — asking user whether files created in WinRoute should be deleted Keeping these files may be helpful for copying of the configuration to another host or if it is not sure whether the SSL certificates were issued by a trustworthy certification authority. During uninstallation, the WinRoute i[...] 
- 
                            Page 212.7 Installation - Software Appliance and VMware Virtual Appliance 21 Start of the installation Software Appliance ISO image of the installation CD can be burned on a physical CD and then the CD can be used for installation of the system on the target computer (either physical or virtual). In case of virtual computers, the ISO image can be also con[...] 
- 
                            Page 22Chapter 2 Introduction 22 virtual computer allows this) adapter or install WinRoute Software Appliance on another type of virtual machine. If such issue arises, it is highly recommended to consult the problem with the Kerio Technologies technical support (see chapter 26 ). provided that no network adapter can be detected, it is not possible to cont[...] 
- 
                            Page 232.8 Upgrade - Software Appliance / VMware Virtual Appliance 23 2.8 Upgrade - Software Appliance / VMware Virtual Appliance WinRoute can be upgraded by the following two methods: • by starting the system from the installation CD (or a mounted ISO) of the new version. The installation process is identical with the process of a new installation with[...] 
- 
                            Page 24Chapter 2 Introduction 24 2.10 WinRoute Engine Monitor (Windows) WinRoute Engine Monitor is a standalone utility used to control and monitor the WinRoute Firewall Engine status. The icon of this component is displayed on the toolbar. Figure 2.6 WinRoute Engine Monitor icon in the Notification Area If WinRoute Engine is stopped, a white crossed red[...] 
- 
                            Page 252.11 The firewall’s console (Software Appliance / VMware Virtual Appliance) 25 Note: 1. If a limited version of WinRoute is used (e.g. a trial version), a notification is displayed 7 days before its expiration. This information is displayed until the expiration. 2. WinRoute Engine Monitor is available in English only. 2.11 The firewall’s con[...] 
- 
                            Page 26Chapter 2 Introduction 26 Shutting down / restarting the firewall If you need to shut your computer down or reboot it, these options provide secure closure of the Kerio WinRoute Firewall Engine and shutdown of the firewall’s operating system. Restoring default configuration This option restores the default firewall settings as installed from [...] 
- 
                            Page 2727 Chapter 3 WinRoute Administration For WinRoute configuration, two tools are available: The Web Administration interface The Web Administration interface allows both remote and local administration of the firewall via a common web browser. In the current version of WinRoute , the Web Admin- istration allows configuration of all crucial WinRout[...] 
- 
                            Page 28Chapter 3 WinRoute Administration 28 The following chapters of this document address individual sections of the Administration Console , the module which allows full configuration. The Web Administration interface is almost identical as the Administration Console and its sections. Note: 1. The Web Administration interface and the Administration Co[...] 
- 
                            Page 293.1 Administration Console - the main window 29 • The left column contains the tree view of sections. The individual sections of the tree can be expanded and collapsed for easier navigation. Administration Console remembers the current tree settings and uses them upon the next login. • In the right part of the window, the contents of the sectio[...] 
- 
                            Page 30Chapter 3 WinRoute Administration 30 for authentication of the firewall when connecting to the administration from another host (see Kerio Administration Console — Help ). • Administrator’s guide — this option displays the administrator’s guide in HTML Help format. For details about help files, see Kerio Administration Console — Help [...] 
- 
                            Page 313.2 Administration Console - view preferences 31 Note: After a connection failure, the Web Administration interface is redirected and opened at the login page automatically. Any unsaved changes will get lost. 3.2 Administration Console - view preferences Many sections of the Administration Console are in table form where each line represents one re[...] 
- 
                            Page 3232 Chapter 4 Product Registration and Licensing When purchased, Kerio WinRoute Firewall must be registered, Upon registration of the product, so called license key is generated.(the license.key file — see chapter 25.1 ). If the key is not imported, WinRoute will behave as a full-featured trial version and its license will be limited by the expir[...] 
- 
                            Page 334.2 License information 33 cannot be updated. The time for updates can be extended by purchasing a sub- scription. • product expiration date — specifies the date by which WinRoute stops functioning and blocks all TCP/IP traffic at the host where it is installed. If this happens, a new valid license key must be imported or WinRoute must be unin[...] 
- 
                            Page 34Chapter 4 Product Registration and Licensing 34 Figure 4.1 Administration Console welcome page providing license information Product name of the product ( WinRoute ) Copyright Copyright information. Homepage Link to the Kerio WinRoute Firewall homepage (information on pricing, new versions, etc.). Click on the link to open the homepage in your defa[...] 
- 
                            Page 354.3 Registration of the product in the Administration Console 35 Number of users Maximal number of hosts (unique IP addresses) that can be connected to the Internet via WinRoute at the same time (for details, refer to chapter 4.6 ). Company Name of the company (or a person) to which the product is registered. Depending on the current license, links[...] 
- 
                            Page 36Chapter 4 Product Registration and Licensing 36 Registration of the trial version By registrating the trial version, users get free email and telephonic technical support for the entire trial period. In return, Kerio Technologies gets valuable feedback from these users. Registration of the trial version is not obligatory. However, it is recommended[...] 
- 
                            Page 374.3 Registration of the product in the Administration Console 37 Figure 4.3 Trial version registration — user information Figure 4.4 Trial version registration — other information 4. The fourth page provides the information summary. If any information is incorrect, use the Back button to browse to a corresponding page and correct the data. 5. T[...] 
- 
                            Page 38Chapter 4 Product Registration and Licensing 38 Figure 4.5 Registration of the trial version — summary Figure 4.6 Trial version registration — Trial ID At this point, an email message (in the language set in the Administration Console ) where confirmation of the registration is demanded is sent to the email address specified on the page two o[...] 
- 
                            Page 394.3 Registration of the product in the Administration Console 39 Registration of the purchased product Follow the Register product with a purchased license number link to run the registration wiz- ard. 1. On the first page of the wizard, it is necessary to enter the license number of the basic product delivered upon its purchase and retype the sec[...] 
- 
                            Page 40Chapter 4 Product Registration and Licensing 40 Figure 4.8 Product registration — license numbers of additional components, add-ons and subscription[...] 
- 
                            Page 414.3 Registration of the product in the Administration Console 41 Figure 4.9 Product registration — user information 4. Page four includes optional information. It is not obligatory to answer these questions, however, the answers help Kerio Technologies accommodate demands of as many cus- tomers as possible. These questions are asked only during t[...] 
- 
                            Page 42Chapter 4 Product Registration and Licensing 42 Figure 4.10 Product registration — other information Figure 4.11 Product registration — summary 1. The license key is generated only for the operating system on which WinRoute was installed during the registration ( Windows / Linux ). The license can be used for any platform but the license key is[...] 
- 
                            Page 434.4 Product registration at the website 43 work connection, etc.), simply restart the wizard and repeat the registration. 4.4 Product registration at the website If, by any reason, registration of WinRoute cannot be performed from the Administration Con- sole , it is still possible to register the product at Kerio Technologies website. To open the [...] 
- 
                            Page 44Chapter 4 Product Registration and Licensing 44 Administrators are informed in two ways: • By a pop-up bubble tip (this function is featured by the WinRoute Engine Monitor mod- ule), • by an pop-up window upon a login to the Administration Console (only in case of expiration of subscription). Note: WinRoute administrators can also set posting o[...] 
- 
                            Page 454.6 User counter 45 4.6 User counter This chapter provides a detailed description on how WinRoute checks whether number of licensed users has not been exceeded. The WinRoute license does not limit number of user accounts. Number of user accounts does not affect number of licensed users. Warning The following description is only a technical hint th[...] 
- 
                            Page 46Chapter 4 Product Registration and Licensing 46 License release Idleness time (i.e. time for which no packet with a corresponding IP address meeting all conditions is detected) is monitored for each record in the table of clients. If the idleness time of a client reaches 15 minutes, the corresponding record is removed from the table and the number [...] 
- 
                            Page 4747 Chapter 5 Network interfaces WinRoute is a network firewall. This implies that it represents a gateway between two or more networks (typically between the local network and the Internet) and controls traffic passing through network adapters ( Ethernet , WiFi , dial-ups, etc.) which are connected to these net- works. WinRoute functions as an IP [...] 
- 
                            Page 48Chapter 5 Network interfaces 48 change of a network adapter etc., there is no need to edit traffic rules — simple adding of the new interface in the correct group will do. In WinRoute , the following groups of interfaces are defined: • Internet interfaces — interfaces which can be used for Internet connection (network cards, wireless adapter[...] 
- 
                            Page 4949 you do not consider RAS clients as parts of trustworthy networks for any reason, you can move the Dial-In interface to Other interfaces . Note: 1. If both RAS server and WinRoute are used, the RAS server must be configured to assign clients IP addresses of a subnet which is not used by any segment of the local network. WinRoute performs standar[...] 
- 
                            Page 50Chapter 5 Network interfaces 50 DNS IP address of the primary DNS server set on the interface. MAC Hardware (MAC) address of a corresponding network adapter. This entry is empty for dial-ups as its use would be meaningless there. Use the buttons at the bottom of the interface list to remove or edit properties of the chosen interface. If no interfac[...] 
- 
                            Page 5151 In WinRoute , it is specify to specify a special name for each interface (names taken from the operating system can be confusing and the new name may make it clear). It is also possible to change the group of the interface (Internet, secure local network, another network — e.g. DMZ ). It is also possible to change the default gateway and edit [...] 
- 
                            Page 52Chapter 5 Network interfaces 52 Adding new interface (Software Appliance / VMware Virtual Appliance) In the Software Appliance / VMware Virtual Appliance edition, WinRoute allows to add new network interfaces (dial-up, PPPoE and PPTP connections) right in the administration console. Click on Add to open a menu and select type of the new interface ([...] 
- 
                            Page 5353 Chapter 6 Internet Connection The basic function of WinRoute is connection of the local network to the Internet via one or more Internet connections (Internet links). Depending on number and types of Internet links, WinRoute provides various options of Internet connection: A Single Internet Link — Persistent The most common connection of local[...] 
- 
                            Page 54Chapter 6 Internet Connection 54 This involves selection of the Internet connection type in the Configuration → Interfaces sec- tion of the WinRoute configuration, setting corresponding interfaces for connection to the Internet and definition of corresponding traffic rules (see chapter 7.3 ). Hint All necessary settings can be done semi-automa[...] 
- 
                            Page 556.1 Persistent connection with a single link 55 Figure 6.1 Traffic Policy Wizard — persistent connection with a single link Figure 6.2 Network Policy Wizard — selection of an interface for the Internet connection • to configure parameters of the selected interface, • to create a new interface ( PPPoE , PPTP or dial-up). For details on netw[...] 
- 
                            Page 56Chapter 6 Internet Connection 56 Resulting interface configuration When you finish set-up in Traffic Policy Wizard , the resulting configuration can be viewed under Configuration → Interfaces and edited if desirable. Figure 6.3 Configuration of interfaces — connection by a single leased link The Internet Interfaces groups includes only car[...] 
- 
                            Page 576.2 Connection with a single leased link - dial on demand 57 6.2 Connection with a single leased link - dial on demand If the WinRoute host is connected to the Internet via dial-up, WinRoute can automatically dial the connection when users attempt to access the Internet. WinRoute provides the following options of dialing/hanging control: • Line i[...] 
- 
                            Page 58Chapter 6 Internet Connection 58 Figure 6.4 Traffic Policy Wizard — dial on demand Figure 6.5 Network Policy Wizard — selection of an interface for the Internet connection • to configure parameters of the selected interface, • to create a new interface ( PPPoE , PPTP or dial-up). For details on network interfaces, see chapter 5 . Resulting[...] 
- 
                            Page 596.2 Connection with a single leased link - dial on demand 59 Figure 6.6 Configuration of interfaces — an on-demand dial link The Internet interfaces group can include multiple dial-ups. However, only one of these links can be set for on-demand dialing. If another link is dialed manually, WinRoute will route packets to the corresponding destinati[...] 
- 
                            Page 60Chapter 6 Internet Connection 60 Figure 6.7 Interface properties — dialing settings efficient to keep the link up persistently even in times with dense network communica- tion. For these purposes, it is possible to set time intervals for persistent connection and/or hang-up. If the time intervals overlap, the interval in which the link is hung-up[...] 
- 
                            Page 616.2 Connection with a single leased link - dial on demand 61 connection is recovered automatically. • If the connection is set to be hung-up at the moment of the outage, the con- nection will not be recovered. • In mode of on-demand dial (i.e. outside the intervals defined), connection will be recovered in response to the first request (i.e. [...] 
- 
                            Page 62Chapter 6 Internet Connection 62 Warning WinRoute is running in the operating system as a service. Therefore, external applica- tions and operating system’s commands will run in the background only (in the SYSTEM account). The same rules are applied for all external commands and external programs called by scripts. Therefore, it is not highly unr[...] 
- 
                            Page 636.3 Connection Failover 63 Warning Connection failover is relevant only if performed by a persistent connection (i.e. the primary connection uses a network card or a persistently connected dial-up). Failing that, the sec- ondary connection would be activated upon each hang-up of the primary link automatically. Configuration with the wizard On the [...] 
- 
                            Page 64Chapter 6 Internet Connection 64 Figure 6.10 Traffic Policy Wizard — failover of a leased link by a dial-up Resulting interface configuration When you finish set-up in Traffic Policy Wizard , the resulting configuration can be viewed under Configuration → Interfaces and edited if desirable. Figure 6.11 Configuration of interfaces — Inter[...] 
- 
                            Page 656.3 Connection Failover 65 The Internet interfaces group includes the Internet and the Dial-up link selected as primary and secondary (failover) on the third page of the wizard. The information provided in the Internet column states which link is used for primary and which one for secondary connection. The Status column informs of the link status ([...] 
- 
                            Page 66Chapter 6 Internet Connection 66 Note: 1. Probe hosts must not block ICMP Echo Requests ( PING ) since such requests are used to test availability of these hosts — otherwise the hosts will be always considered as unavailable. This is one of the cases where the primary default gateway cannot be used as the testing computer. 2. Probe hosts must be [...] 
- 
                            Page 676.4 Network Load Balancing 67 Both the primary and the secondary link may be configured automatically by the DHCP proto- col. In that case, WinRoute looks all required parameters up in the operating system. It is recommended to check functionality of individual Internet links out before installing WinRoute . The following testing methods can be ap[...] 
- 
                            Page 68Chapter 6 Internet Connection 68 On the third page of the wizard, add all links (one by one) which you intend to use for traffic load balancing. In the Software Appliance / VMware Virtual Appliance edition, the wizard allows: • to configure parameters of the selected interface, • to create a new interface ( PPPoE , PPTP or dial-up). For detail[...] 
- 
                            Page 696.4 Network Load Balancing 69 Resulting interface configuration When you finish set-up in Traffic Policy Wizard , the resulting configuration can be viewed under Configuration → Interfaces and edited if desirable. Figure 6.15 Configuration of interfaces — network traffic load balancing The Internet interfaces group includes the Internet 4M[...] 
- 
                            Page 70Chapter 6 Internet Connection 70 Advanced settings (optimization, dedicated links, etc.) In basic configuration, network load balancing is applied automatically with respect to their proposed speeds (see above). It is possible to use traffic rules to modify this algorithm (e.g. by dedicating one link for a particular traffic). This issue is descri[...] 
- 
                            Page 7171 Chapter 7 Traffic Policy Traffic Policy belongs to of the basic WinRoute configuration. All the following settings are displayed and can be edited within the table: • security (protection of the local network including the WinRoute host from Internet intrusions • IP address translation (or NAT , Network Address Translation — technology wh[...] 
- 
                            Page 72Chapter 7 Traffic Policy 72 Figure 7.1 Traffic Policy Wizard — introduction Steps 2 and 3— internet connection settings On the second page of the wizard, select how the LAN will be connected to the Internet with WinRoute (leased link, dial-up, leased link with connection failover or multiple links with net- work traffic load balancing). On the [...] 
- 
                            Page 737.1 Network Rules Wizard 73 Figure 7.2 Network Policy Wizard — enabling access to Internet services Allow access to the following services only Only selected services will be available from the local network. Note: 1. Defined restrictions will be applied also to the firewall itself. 2. In this dialog, only basic services are listed (it does not[...] 
- 
                            Page 74Chapter 7 Traffic Policy 74 Figure 7.3 Network Policy Wizard — Kerio VPN Step 6 — specification of servers that will be available within the local network If any service (e.g. WWW server, FTP server, etc. which is intended be available from the Internet) is running on the WinRoute host or another host within the local network, define it in th[...] 
- 
                            Page 757.1 Network Rules Wizard 75 Figure 7.5 Network Policy Wizard — mapping of the local service Note: Access to the Internet through WinRoute must be defined at the default gateway of the host, otherwise the service will not be available. Service Selection of a service to be enabled. The service must be defined in Configurations → Defi- nitions[...] 
- 
                            Page 76Chapter 7 Traffic Policy 76 Figure 7.7 Traffic Policy generated by the wizard FTP Service and HTTP Service These rules map all HTTP and HTTPS services running at the host with the 192.168.1.10 IP address (step 6). These services will be available at IP addresses of the “outbound” interface of the firewall (i.e. the interface connected to the I[...] 
- 
                            Page 777.1 Network Rules Wizard 77 NAT This rule sets that in all packets routed from the local network to the Internet, the source (private) IP address will be replaced by the address of the Internet interface through which the packet is sent from the firewall. Only specified services can be accessed by the Internet connection (the wizard, page 4). The[...] 
- 
                            Page 78Chapter 7 Traffic Policy 78 7.2 How traffic rules work The traffic policy consists of rules ordered by their priority. When the rules are applied, they are processed from the top downwards and the first rule is applied that meets connection or packet parameters — i.e. order of the rules in the list is key. The order of the rules can be changed w[...] 
- 
                            Page 797.3 Definition of Custom Traffic Rules 79 The background color of each row with this rule can be defined as well. Use the Transparent option to make the background transparent (background color of the whole list will be used, white is usually set). Colors allow highlighting of rules or distinguishing of groups of rules (e.g. rules for incoming an[...] 
- 
                            Page 80Chapter 7 Traffic Policy 80 Warning If either the source or the destination computer is specified by DNS name, WinRoute tries to identify its IP address while processing a corresponding traffic rule. If no corresponding record is found in the cache, the DNS forwarder forwards the query to the Internet. If the connection is realized by a dial-up wh[...] 
- 
                            Page 817.3 Definition of Custom Traffic Rules 81 Figure 7.11 Traffic rule — VPN clients / VPN tunnel in the source/destination address definition tunnel The All option covers all networks connected by all VPN tunnels defined which are active at the particular moment. For detailed information on the proprietary VPN solution integrated in WinRoute , re[...] 
- 
                            Page 82Chapter 7 Traffic Policy 82 Note: 1. If you require authentication for any rule, it is necessary to ensure that a rule ex- ists to allow users to connect to the firewall authentication page. If users use each various hosts to connect from, IP addresses of all these hosts must be considered. 2. If user accounts or groups are used as a source in the[...] 
- 
                            Page 837.3 Definition of Custom Traffic Rules 83 Figure 7.13 Traffic rule — setting a service Use the Remove button to remove all items defined (the Nothing value will be displayed in the item list). Whenever at least one service is added, the Nothing value will be removed automatically. If the Nothing value is kept in the Service column, the rule is [...] 
- 
                            Page 84Chapter 7 Traffic Policy 84 Figure 7.14 Traffic rule — selecting an action Translation Source or/and destination IP address translation. Source IP address translation (NAT — Internet connection sharing) The source IP address translation can be also called IP masquerading or Internet connection sharing. The source (private) IP address is substit[...] 
- 
                            Page 857.3 Definition of Custom Traffic Rules 85 Figure 7.15 Traffic rule — NAT — automatic IP address selection load balancing dividing the traffic among individual links may be not optimal in this case. • Load balancing per connection — for each connection established from the LAN to the Internet will be selected an Internet link to spread the [...] 
- 
                            Page 86Chapter 7 Traffic Policy 86 Figure 7.16 Traffic rule — NAT — NAT with specific interface (its IP address) failure. If set as suggested, WinRoute will behave like in mode of automatic interface selection (see above) if the such failure occurs. NAT with a specified IP address It is also possible to specify an IP address for NAT which will be us[...] 
- 
                            Page 877.3 Definition of Custom Traffic Rules 87 Full cone NAT For all NAT methods it is possible to set mode of allowing of incoming packets coming from any address — so called Full cone NAT . If this option is off, WinRoute performs so called Port restricted cone NAT . In outgoing packets transferred from the local network to the Internet, WinRoute [...] 
- 
                            Page 88Chapter 7 Traffic Policy 88 Destination NAT (port mapping): Destination address translation (also called port mapping) is used to allow access to services hosted in private local networks behind the firewall. All incoming packets that meet defined rules are re-directed to a defined host (destination address is changed). This actually “moves”[...] 
- 
                            Page 897.3 Definition of Custom Traffic Rules 89 Figure 7.19 Traffic rule — packet/connection logging Note: Connection cannot be logged for blocking and dropping rules (connection is not even established). The following columns are hidden in the default settings of the Traffic Policy window (for details on showing and hiding columns, see chapter 3.2 ):[...] 
- 
                            Page 90Chapter 7 Traffic Policy 90 • Default — all necessary protocol inspectors (or inspectors of the services listed in the Service entry) will be applied on traffic meeting this rule. • None — no inspector will be applied (regardless of how services used in the Service item are defined). • Other — selection of a particular inspector which [...] 
- 
                            Page 917.4 Basic Traffic Rule Types 91 Destination The Internet interfaces group. With this group, the rule is usable for any type of Internet connection (see chapter 6 ) and it is not necessary to modify it even it Internet connection is changed. Service This entry can be used to define global limitations for Internet access. If particular ser- vices ar[...] 
- 
                            Page 92Chapter 7 Traffic Policy 92 Figure 7.23 Traffic rule that makes the local web server available from the Internet Source Mapped services can be accessed by clients both from the Internet and from the local network. For this reason, it is possible to keep the Any value in the Source entry (or it is possible to list all relevant interface groups or in[...] 
- 
                            Page 937.4 Basic Traffic Rule Types 93 dropped. Therefore, it is recommended to put all rules for mapped services at the top of the table of traffic rules. Note: If there are separate rules limiting access to mapped services, these rules must precede mapping rules. It is usually possible to combine service mapping and access restriction in a single rule. [...] 
- 
                            Page 94Chapter 7 Traffic Policy 94 Limiting Internet Access Sometimes, it is helpful to limit users access to the Internet services from the local network. Access to Internet services can be limited in several ways. In the following examples, the limitation rules use IP translation. There is no need to define other rules as all traffic that would not mee[...] 
- 
                            Page 957.5 Policy routing 95 Alternatively you can define the rule to allow only authenticated users to access specific services. Any user that has a user account in WinRoute will be allowed to access the Internet after authenticating to the firewall. Firewall administrators can easily monitor which services and which pages are opened by each user (it [...] 
- 
                            Page 96Chapter 7 Traffic Policy 96 marginal traffic (web browsing, online radio channels, etc.). To meet this crucial requirement of an enterprise data traffic, it is necessary to consider and employ, besides the destination IP address, additional information when routing packets from the LAN to the Internet, such as source IP address, protocol, etc. This[...] 
- 
                            Page 977.5 Policy routing 97 Figure 7.31 Policy routing — setting NAT for a reserved link Figure 7.32 Policy routing — a link reserved for a specific server Note: In the second rule, automatic interface selection is used. This means that the Internet 4Mbit link is also used for network traffic load balancing. Email traffic is certainly still re- spec[...] 
- 
                            Page 98Chapter 7 Traffic Policy 98 IP address will be used). To any other services, load balancing per connection will be applied — thus maximally efficient use of the capacity of available links will be reached. Meeting of the requirements will be guaranteed by using two NAT traffic rules — see fig- ure 7.33 . In the first rule, specify correspondi[...] 
- 
                            Page 997.7 Partial Retirement of Protocol Inspector 99 counting reasons — see chapter 4.6 ). However, this NAT rule blocks any connection unless the user is authenticated. Enabling automatic authentication The automatic user authentication issue can be solved easily as follows: • Add a rule allowing an unlimited access to the HTTP service before the N[...] 
- 
                            Page 100Chapter 7 Traffic Policy 100 Example A banking application (client) communicates with the bank’s server through its proper proto- col which uses TCP protocol at the port 2000 . Supposing the banking application is run on a host with IP address 192.168.1.15 and it connects to the server server.bank.com . This port is used by the Cisco SCCP protoco[...] 
- 
                            Page 1017.8 Use of Full cone NAT 101 Note: In the default configuration of the Traffic rules section, the Protocol inspector column is hidden. To show it, modify settings through the Modify columns dialog (see chapter 3.2 ). Warning To disable a protocol inspector, it is not sufficient to define a service that would not use the inspector! Protocol inspec[...] 
- 
                            Page 102Chapter 7 Traffic Policy 102 Figure 7.39 Definition of a Full cone NAT traffic rule • Source — IP address of an SIP telephone in the local network. • Destination — name or IP address of an SIP server in the Internet. Full cone NAT will apply only to connection with this server. • Service — SIP service (for an SIP telephone). Full cone [...] 
- 
                            Page 1037.9 Media hairpinning 103 Example: Two SIP telephones in the LAN Let us suppose two SIP telephones are located in the LAN. These telephones authenticate at a SIP server in the Internet. The parameters may be as follows: • IP addresses of the phones: 192.168.1.100 and 192.168.1.101 • Public IP address of the firewall: 195.192.33.1 • SIP serve[...] 
- 
                            Page 104104 Chapter 8 Configuration of network services This chapter provides guidelines for setting of basic services in WinRoute helpful for easy configuration and smooth access to the Internet: • DNS module — this service is used as a simple DNS server for the LAN, • DHCP server — provides fully automated configuration of LAN hosts, • DDNS [...] 
- 
                            Page 1058.1 DNS module 105 The DNS module configuration By default, DNS server (the DNS forwarder service), cache (for faster responses to repeated requests) and simple DNS names resolver are enabled in WinRoute . The configuration can be fine-tuned in Configuration → DNS . Figure 8.1 DNS settings Enable DNS forwarder This option enables DNS server i[...] 
- 
                            Page 106Chapter 8 Configuration of network services 106 Note: 1. Time period for keeping DNS logs in the cache is specified individually in each log (usually 24 hours). 2. Use of DNS also speeds up activity of the WinRoute’s non-transparent proxy server (see chapter 8.4 ). Clear cache Clear-out of all records from the DNS cache (regardless of their lif[...] 
- 
                            Page 1078.1 DNS module 107 Figure 8.2 Editor of the Hosts system file Local DNS domain In the When resolving name from the ’hosts’ file or lease table combine it with DNS domain below entry, specify name of the local DNS domain. If a host or a network device sends a request for an IP address, it uses the name only (it has not found out the domain yet[...] 
- 
                            Page 108Chapter 8 Configuration of network services 108 Enable DNS forwarding The DNS module allows forwarding of certain DNS requests to specific DNS servers. This feature can be helpful for example when we intend to use a local DNS server for the local domain (the other DNS queries will be forwarded to the Internet directly — this will speed up the r[...] 
- 
                            Page 1098.1 DNS module 109 queries concerning names and reversed queries are independent from each other. For better reference, it is recommended to start with all rules concerning queries for names and continue with all rules for reversed queries, or vice versa. Click on the Add or the Edit button to open a dialog where custom DNS forwarding rules can be [...] 
- 
                            Page 110Chapter 8 Configuration of network services 110 Warning In rules for DNS requests, it is necessary to enter an expression matching the full DNS name! If, for example, the kerio.c * expression is introduced, only names kerio.cz , kerio.com etc. would match the rule and host names included in these domains (such as www.kerio.cz and secure.kerio.com [...] 
- 
                            Page 1118.2 DHCP server 111 DHCP Server Configuration To configure the DHCP server in WinRoute go to Configuration → DHCP Server . Here you can define IP scopes, reservations or optional parameters, and view information about occupied IP addresses or statistics of the DHCP server. The DHCP server can be enabled/disabled using the DHCP Server enabled [...] 
- 
                            Page 112Chapter 8 Configuration of network services 112 Figure 8.6 DHCP server — default DHCP parameters DNS server Any DNS server (or multiple DNS servers separated by semicolons) can be defined. We recommend you to use the WinRoute’s DNS module as the primary server (first in the list) — IP address of the WinRoute host. The DNS module can cooper[...] 
- 
                            Page 1138.2 DHCP server 113 Figure 8.7 DHCP server — IP scopes definition First address, Last address First and last address of the new scope. Note: If possible, we recommend you to define the scope larger than it would be defined for the real number of users within the subnet. Subnet mask Mask of the appropriate subnet. It is assigned to clients toge[...] 
- 
                            Page 114Chapter 8 Configuration of network services 114 Example In 192.168.1.0 subnet you intend to create two scopes: from 192.168.1.10 to 192.168.1.49 and from 192.168.1.61 to 192.168.1.100 . Addresses from 192.168.1.50 to 192.168.1.60 will be left free and can be used for other purposes. Create the scope from 192.168.1.10 to 192.168.1.100 and click on [...] 
- 
                            Page 1158.2 DHCP server 115 Figure 8.9 DHCP server — DHCP settings To view configured DHCP parameters and their values within appropriate IP scopes see the right column in the Address Scope tab. Note: Simple DHCP server statistics are displayed at the right top of the Address Scope tab. Each scope is described with the following items: • total number [...] 
- 
                            Page 116Chapter 8 Configuration of network services 116 Figure 8.11 DHCP server — reserving an IP address • hardware (MAC) address of the host — it is defined by hexadecimal numbers separated by colons, i.e. 00:bc:a5:f2:1e:50 or by dashes— for example: 00-bc-a5-f2-1e-50 The MAC address of a network adapter can be detected with operating system to[...] 
- 
                            Page 1178.2 DHCP server 117 Figure 8.12 DHCP server — list of leased and reserved IP addresses • MAC Address — hardware address of the host that the IP address is assigned to (in- cluding name of the network adapter manufacturer). • Hostname — name of the host that the IP address is assigned to (only if the DHCP client at this host sends it to th[...] 
- 
                            Page 118Chapter 8 Configuration of network services 118 the MAC address or name of the host that the address is currently assigned to. The Scopes tab with a dialog where the appropriate address can be leased will be opened automatically. All entries except for the Description item will be already defined with appropriate data. Define the Description ent[...] 
- 
                            Page 1198.3 Dynamic DNS for public IP address of the firewall 119 Warning 1. DHCP server cannot assign addresses to RAS clients connecting to the RAS server directly at the WinRoute host (for technical reasons, it is not possible to receive DHCP queries from the local RAS server). For such cases, it is necessary to set assigning of IP addresses in the RAS[...] 
- 
                            Page 120Chapter 8 Configuration of network services 120 • free — user can choose from several second level domains (e.g. no-ip.org , ddns.info , etc.) and select a free host name for the domain (e.g. company.ddns.info ). • paid service — user registers their own domain (e.g. company.com ) and the service provider then provides DNS server for this [...] 
- 
                            Page 1218.4 Proxy server 121 Figure 8.14 Setting cooperation with dynamic DNS server On the Dynamic DNS tab, select a DDNS provider, enter DNS name for which dynamic record will be kept updated and set user name and password for access to updates of the dynamic record. If DDNS supports wildcards, they can be used in the host name. Once this information is [...] 
- 
                            Page 122Chapter 8 Configuration of network services 122 Proxy server can receive and process clients’ queries locally. The line will not be dialed if access to the requested page is forbidden. 3. WinRoute is deployed within a network with many hosts where proxy server has been used. It would be too complex and time-consuming to re-configure all the hos[...] 
- 
                            Page 1238.4 Proxy server 123 Enable non-transparent proxy server This option enables the HTTP proxy server in WinRoute on the port inserted in the Port entry ( 3128 port is set by the default). Warning If you use a port number that is already used by another service or application, WinRoute will accept this port, however, the proxy server will not be able [...] 
- 
                            Page 124Chapter 8 Configuration of network services 124 where 192.168.1.1 is the IP address of the WinRoute host and number 3128 represents the port of the proxy server (see above). The Allow browsers to use configuration script automatically... option adjusts the config- uration script in accord with the current WinRoute configuration and the settings[...] 
- 
                            Page 1258.5 HTTP cache 125 Figure 8.16 HTTP cache configuration Enable cache on proxy server Enables the cache for HTTP traffic via WinRoute’s proxy server (see chapter 8.4 ). HTTP protocol TTL Default time of object validity within the cache. This time is used when: • TTL of a particular object is not defined (to define TTL use the URL specific se[...] 
- 
                            Page 126Chapter 8 Configuration of network services 126 Warning Changes in this entry will not be accepted unless the WinRoute Firewall Engine is restarted. Old cache files in the original folder will be removed automatically. Cache size Size of the cache file on the disk. Maximal cache size allowed is 2 GB ( 2047 MB ) Note: 1. If 98 per cent of the cac[...] 
- 
                            Page 1278.5 HTTP cache 127 Warning Some web servers may attempt to bypass the cache by too short/long TTL. • Ignore server Cache-Control directive — WinRoute will ignore directives for cache control of Web pages. Pages often include a directive that the page will not be saved into the cache. This directive page may be misused for example to bypass the [...] 
- 
                            Page 128Chapter 8 Configuration of network services 128 Rules within this dialog are ordered in a list where the rules are read one by one from the top downwards (use the arrow buttons on the right side of the window to reorder the rules). Description Text comment on the entry (informational purpose only) URL URL for which cache TTL will be specified. UR[...] 
- 
                            Page 1298.5 HTTP cache 129 Figure 8.19 HTTP cache administration dialog Example Search for the * ker?o * string lists all objects with URL matching the specification, such as kerio , kerbo , etc. Each line with an object includes URL of the object, its size in bytes (B) and number of hours representing time left to the expiration . To keep the list simple[...] 
- 
                            Page 130130 Chapter 9 Bandwidth Limiter The main problem of shared Internet connection is when one or more users download or upload big volume of data and occupy great part of the line connected to the Internet (so called bandwidth). The other users are ten limited by slower Internet connection or also may be affected by failures of certain services (e.g.[...] 
- 
                            Page 1319.2 Bandwidth Limiter configuration 131 Figure 9.1 Bandwidth Limiter configuration The Bandwidth Limiter module enables to define reduction of speed of incoming traffic (i.e. from the Internet to the local network) and of outgoing data (i.e. from the local network to the Internet) for transmissions of big data volumes and for users with their qu[...] 
- 
                            Page 132Chapter 9 Bandwidth Limiter 132 services if too much big data volumes are transferred). If they are lower, full line capacity is often not employed. Warning For optimal configuration, it is necessary to operate with real capacity of the line. This value may differ from the information provided by ISP. One method of how to find out the real value[...] 
- 
                            Page 1339.2 Bandwidth Limiter configuration 133 Figure 9.2 Bandwidth Limiter — network services Figure 9.3 Bandwidth Limiter — selection of network services IP Addresses and Time Interval It may be also helpful to apply bandwidth limiter only to certain hosts (for example, it may be undesired to limit a mailserver in the local network or communication[...] 
- 
                            Page 134Chapter 9 Bandwidth Limiter 134 addresses across the local network and the Internet. Where user workstations use fixed IP addresses, it is also possible to apply this function to individual users. It is also possible to apply bandwidth limiter to a particular time interval (e.g. in work hours). These parameters can be set on the Constraints tab. F[...] 
- 
                            Page 1359.3 Detection of connections with large data volume transferred 135 cally. With exception of special conditions (testing purposes) it is highly recommended not to change the default values! Figure 9.5 Bandwidth Limiter — setting parameters for detection of large data volume transfers For detailed description of the detection of large data volume [...] 
- 
                            Page 136Chapter 9 Bandwidth Limiter 136 Examples: The detection of connections transferring large data volumes will be better understood through the following examples. The default configuration of the detection is as follows: at least 200 KB of data must be transferred while there is no interruption for 5 sec or more. 1. The connection at figure 9.6 is [...] 
- 
                            Page 137137 Chapter 10 User Authentication WinRoute allows administrators to monitor connections (packet, connection, Web pages or FTP objects and command filtering) related to each user. The username in each filtering rule represents the IP address of the host(s) from which the user is connected (i.e. all hosts the user is currently connected from). Thi[...] 
- 
                            Page 138Chapter 10 User Authentication 138 • Redirection — when accessing any website (unless access to this page is explicitly allowed to unauthenticated users — see chapter 12.2 ). Login by re-direction is performed in the following way: user enters URL pages that he/she intends to open in the browser. WinRoute detects whether the user has already [...] 
- 
                            Page 13910.1 Firewall User Authentication 139 Redirection to the authentication page If the Always require users to be authenticated when accessing web pages option is en- abled, user authentication will be required for access to any website (unless the user is already authenticated). The method of the authentication request depends on the method used by t[...] 
- 
                            Page 140Chapter 10 User Authentication 140 available for other operating systems. For details, refer to chapter 25.3 . Automatically logout users when they are inactive Timeout is a time interval (in minutes) of allowed user inactivity. When this period ex- pires, the user is automatically logged out from the firewall. The default timeout value is 120 min[...] 
- 
                            Page 141141 Chapter 11 Web Interface WinRoute includes a special web server which provides an interface where statistics can be viewed ( Kerio StaR ), as well as for setting of some user account parameters and for firewall administration via web browser ( Web Administration ). This Web server is available over SSL or using standard HTTP with no encryption[...] 
- 
                            Page 142Chapter 11 Web Interface 142 Figure 11.1 Configuration of WinRoute’s Web Interface The name need not be necessarily identical with the host name, however, there must exist an appropriate entry in DNS for proper name resolution. The SSL certificate for the secure web interface (see below) should be also issued for the server (i.e. the server nam[...] 
- 
                            Page 14311.1 Web interface preferences 143 Configuration of ports of the Web Interface Use the TCP ports section to set ports for unencrypted and encrypted versions of the Web interface (default ports are 4080 for the unencrypted and 4081 for the encrypted version of the Web interface). Figure 11.2 Configuration of ports in WinRoute’s Web Interface Hin[...] 
- 
                            Page 144Chapter 11 Web Interface 144 SSL Certificate for the Web Interface The principle of an encrypted WinRoute Web interface is based on the fact that all communi- cation between the client and server is encrypted to protect it from wiretapping and misuse of the transmitted data. The SSL protocol uses an asymmetric encryption first to facilitate excha[...] 
- 
                            Page 14511.1 Web interface preferences 145 Figure 11.3 SSL certificate of WinRoute’s Web interface Figure 11.4 Creating a new “self-signed” certificate for WinRoute’s Web interface A new ( self-signed ) certificate is unique. It is created by your company, addressed to your company and based on the name of your server. Unlike the testing version[...] 
- 
                            Page 146Chapter 11 Web Interface 146 Verisign , Thawte , SecureSign , SecureNet , Microsoft Authenticode , etc.). To import a certificate, open the certificate file ( * .crt ) and the file including the correspond- ing private key ( * .key ). These files are stored in sslcert under the WinRoute’s installation directory. The process of certification[...] 
- 
                            Page 147147 Chapter 12 HTTP and FTP filtering WinRoute provides a wide range of features to filter traffic using HTTP and FTP protocols. These protocols are the most spread and the most used in the Internet. Here are the main purposes of HTTP and FTP content filtering: • to block access to undesirable Web sites (i.e. pages that do not relate to employ[...] 
- 
                            Page 148Chapter 12 HTTP and FTP filtering 148 An appropriate protocol inspector is activated automatically unless its use is denied by traffic rules. For details, refer to chapter 7.3 . 2. Connections must not be encrypted. SSL encrypted traffic (HTTPS and FTPS protocols) cannot be monitored. In this case you can block access to certain servers using tra?[...] 
- 
                            Page 14912.2 URL Rules 149 access to other web pages, a rule denying access to any URL must be placed at the end of the rule list. The following items (columns) can be available in the URL Rules tab: • Description — description of a particular rule (for reference only). You can use the checking box next to the description to enable/disable the rule (fo[...] 
- 
                            Page 150Chapter 12 HTTP and FTP filtering 150 Figure 12.2 URL Rule — basic parameters for example a rule allowing access to certain pages without authentication can be defined. 2. Unless authentication is required, the do not require authentication option is ineffective. • selected user(s) — applied on selected users or/and user groups. Click on t[...] 
- 
                            Page 15112.2 URL Rules 151 (wildcard matching) to substitute any number of characters (i.e. * .kerio.com * ) Server names represent any URL at a corresponding server ( www.kerio.com/ * ). • is in URL group — selection of a URL group (refer to chapter 14.4 ) which the URL should match with • is rated by Kerio Web Filter rating system — the rule will[...] 
- 
                            Page 152Chapter 12 HTTP and FTP filtering 152 Figure 12.3 URL Rule — advanced parameters Denial options Advanced options for denied pages. Whenever a user attempts to open a page that is denied by the rule, WinRoute will display: • A page informing the user that access to the required page is denied as it is blocked by the firewall. This page can als[...] 
- 
                            Page 15312.2 URL Rules 153 another page (see below). • A blank page — user will not be informed why access to the required page was denied. • Another page — user’s browser will be redirected to the specified URL. This op- tion can be helpful for example to define a custom page with a warning that access to the particular page is denied. The Con[...] 
- 
                            Page 154Chapter 12 HTTP and FTP filtering 154 HTTP Inspection Advanced Options Click on the Advanced button in the HTTP Policy tab to open a dialog where parameters for the HTTP inspection module can be set. Figure 12.5 HTTP protocol inspector settings Use the Enable HTTP Log and Enable Web Log options to enable/disable logging of HTTP queries (opened web[...] 
- 
                            Page 15512.3 Content Rating System (Kerio Web Filter) 155 According to the classification of the page the user will be either allowed or denied to access the page. To speed up URL rating the data that have been once acquired can be stored in the cache and kept for a certain period. Note: A special license is bound with Kerio Web Filter (subscription). Unl[...] 
- 
                            Page 156Chapter 12 HTTP and FTP filtering 156 Categorize each page regardless of HTTP rules If this option is enabled, Kerio Web Filter categorization will be applied to any web pages (i.e. to all HTTP requests processed by the HTTP protocol inspector). Categorization of all pages is necessary for statistics of the categories of visited web pages (see cha[...] 
- 
                            Page 15712.3 Content Rating System (Kerio Web Filter) 157 Figure 12.7 Kerio Web Filter rule[...] 
- 
                            Page 158Chapter 12 HTTP and FTP filtering 158 Figure 12.8 Selection of Kerio Web Filter categories Note: 1. You can define multiple URL rules that will use the Kerio Web Filter rating technology. Multiple categories may be used for each rule. 2. We recommend you to unlock rules that use the Kerio Web Filter rating system (the Users can Unlock this rule o[...] 
- 
                            Page 15912.4 Web content filtering by word occurrence 159 So called forbidden words are used to filter out web pages containing undesirable words. URL rules (see chapter 12.2 ) define how pages including forbidden content will be handled. Warning Definition of forbidden words and threshold value is ineffective unless corresponding URL rules are set! D[...] 
- 
                            Page 160Chapter 12 HTTP and FTP filtering 160 • On the Content Rules tab, check the Deny Web pages containing... option to enable filtering by word occurrence. Figure 12.10 A rule filtering web pages by word occurrence (word filtering) Word groups To define word groups go to the Word Groups tab in Configuration → Content Filtering → HTTP Policy[...] 
- 
                            Page 16112.4 Web content filtering by word occurrence 161 Individual groups and words included in them are displayed in form of trees. To enable filtering of particular words use checkboxes located next to them. Unchecked words will be ignored. Due to this function it is not necessary to remove rules and define them again later. Note: The following word[...] 
- 
                            Page 162Chapter 12 HTTP and FTP filtering 162 Weight Word weight the level of how the word affects possible blocking or allowing of access to websites. The weight should respect frequency of the particular word in the language (the more common word, the lower weight) so that legitimate webpages are not blocked. Description A comment on the word or group.[...] 
- 
                            Page 16312.5 FTP Policy 163 FTP Rules Definition To create a new rule, select a rule after which the new rule will be added, and click Add . You can later use the arrow buttons to reorder the rule list. Checking the box next to the rule can be used to disable the rule. Rules can be disabled temporarily so that it is not necessary to remove rules and creat[...] 
- 
                            Page 164Chapter 12 HTTP and FTP filtering 164 Open the General tab to set general rules and actions to be taken. Description Description of the rule (information for the administrator). If user accessing the FTP server is Select which users this rule will be applied on: • any user — the rule will be applied on all users (regardless whether authenticat[...] 
- 
                            Page 16512.5 FTP Policy 165 Figure 12.15 FTP Rule — advanced settings Valid at time interval Selection of the time interval during which the rule will be valid (apart from this inter- val the rule will be ignored). Use the Edit button to edit time intervals (for details see chapter 14.2 ). Valid for IP address group Selection of IP address group on which[...] 
- 
                            Page 166Chapter 12 HTTP and FTP filtering 166 Scan content for viruses according to scanning rules Use this option to enable/disable scanning for viruses for FTP traffic which meet this rule. This option is available only for allowing rules — it is meaningless to apply antivirus check to denied traffic.[...] 
- 
                            Page 167167 Chapter 13 Antivirus control WinRoute provides antivirus check of objects (files) transmitted by HTTP, FTP, SMTP and POP3 protocols. In case of HTTP and FTP protocols, the WinRoute administrator can specify which types of objects will be scanned. WinRoute is also distributed in a special version which includes integrated McAfee antivirus. Besi[...] 
- 
                            Page 168Chapter 13 Antivirus control 168 For details, see chapter 13.4 . • Object transferred by other than HTTP, FTP, SMTP and POP3 protocols cannot be checked by an antivirus. • If a substandard port is used for the traffic, corresponding protocol inspector will not be applied automatically. In that case, simply define a traffic rule which will allo[...] 
- 
                            Page 16913.2 How to choose and setup antiviruses 169 Figure 13.2 Antivirus selection (integrated antivirus) Figure 13.3 Scheduling McAfee updates Check for update every ... hours Time interval of checks for new updates of the virus database and the antivirus engine (in hours). If any new update is available, it will be downloaded automatically by WinRoute [...] 
- 
                            Page 170Chapter 13 Antivirus control 170 Last update check performed ... ago Time that has passed since the last update check. Virus database version Database version that is currently used. Scanning engine version McAfee scanning engine version used by WinRoute . Update now Use this button for immediate update of the virus database and of the scanning eng[...] 
- 
                            Page 17113.2 How to choose and setup antiviruses 171 Use the Options button to set advanced parameters for the selected antivirus. Dialogs for in- dividual antiviruses differ (some antivirus programs may not require any additional settings). For detailed information on installation and configuration of individual antivirus programs, refer to http://www.k[...] 
- 
                            Page 172Chapter 13 Antivirus control 172 network send their email via an SMTP server located in the Internet. Checking of outgoing SMTP traffic is not apt for local SMTP servers sending email to the Internet. An example of a traffic rule for checking of outgoing SMTP traffic is shown at figure 13.6 . Figure 13.6 An example of a traffic rule for outgoing S[...] 
- 
                            Page 17313.3 HTTP and FTP scanning 173 To set parameters of HTTP and FTP antivirus check, open the HTTP, FTP scanning tab in Configuration → Content Filtering → Antivirus . Figure 13.7 Settings for HTTP and FTP scanning Use the If a virus is found... entry to specify actions to be taken whenever a virus is detected in a transmitted file: • Move the[...] 
- 
                            Page 174Chapter 13 Antivirus control 174 Warning When handling files in the quarantine directory, please consider carefully each action you take, otherwise a virus might be activated and the WinRoute host could be attacked by the virus! • Alert the client — WinRoute alerts the user who attempted to download the file by an email message warning that a[...] 
- 
                            Page 17513.3 HTTP and FTP scanning 175 Figure 13.8 Definition of an HTTP/FTP scanning rule Description Description of the rule (for reference of the WinRoute administrator only) Condition Condition of the rule: • HTTP/FTP filename — this option filters out certain filenames (not entire URLs) transmitted by FTP or HTTP (e.g. * .exe , * .zip , etc.).[...] 
- 
                            Page 176Chapter 13 Antivirus control 176 If the object does not match with any rule, it will be scanned automatically. If only selected object types are to be scanned, a rule disabling scanning of any URL or MIME type must be added to the end of the list (the Skip all other files rule is predefined for this purpose). 13.4 Email scanning SMTP and POP3 pro[...] 
- 
                            Page 17713.4 Email scanning 177 Figure 13.9 Settings for SMTP and POP3 scanning The quarantine subdirectory under the WinRoute directory is used for the quarantine (the typical path is C:Program FilesKerioWinRoute Firewallquarantine ) Messages with untrustworthy attachments are saved to this directory under names which are generated automatically by Wi[...] 
- 
                            Page 178Chapter 13 Antivirus control 178 • Enable TLS. This alternative is suitable for such cases where protection from wiretap- ping is prior to antivirus check of email. Hint In such cases, it is recommended to install an antivirus engine at individual hosts that would perform local antivirus check. • Disable TLS. Secure mode will not be available. [...] 
- 
                            Page 17913.5 Scanning of files transferred via Clientless SSL-VPN (Windows) 179 Transfer directions Use the top section of the SSL-VPN Scanning tab to set to which transfer direction the antivirus check will be applied. By default, only files downloaded from a remote client to a local host are scanned to avoid slowdown (local network is treated as trustw[...] 
- 
                            Page 180180 Chapter 14 Definitions 14.1 IP Address Groups IP groups are used for simple access to certain services (e.g. WinRoute’s remote administration, Web server located in the local network available from the Internet, etc.). When setting access rights a group name is used. The group itself can contain any combination of computers (IP addresses), I[...] 
- 
                            Page 18114.2 Time Ranges 181 Figure 14.2 IP group definition Type Type of the new item: • Host (IP address or DNS name of a particular host), • Network / Mask (subnet with a corresponding mask), • IP range (an interval of IP addresses defined by starting and end IP address in- cluding the both limit values), • Address group (another group of IP a[...] 
- 
                            Page 182Chapter 14 Definitions 182 Figure 14.3 WinRoute’s time intervals Time range types When defining a time interval three types of time ranges (subintervals) can be used: Absolute The time interval is defined with the initial and expiration date and it is not repeated Weekly This interval is repeated weekly (according to the day schedule) Daily It[...] 
- 
                            Page 18314.3 Services 183 Figure 14.4 Time range definition Valid on Defines days when the interval will be valid. You can either select particular weekdays ( Selected days ) or use one of the predefined options ( All Days , Weekday — from Monday to Friday, Weekend — Saturday and Sunday). Note: 1. each time range must contain at least one item. Time[...] 
- 
                            Page 184Chapter 14 Definitions 184 Figure 14.5 WinRoute’s network services Clicking on the Add or the Edit button will open a dialog for service definition. Figure 14.6 Network service definition Name Service identification within WinRoute . It is strongly recommended to use a concise name to keep the program easy to follow.[...] 
- 
                            Page 18514.3 Services 185 Description Comments for the service defined. It is strongly recommended describing each definition, especially with non-standard services so that there will be minimum confusion when referring to the service at a later time. Protocol The communication protocol used by the service. Most standard services uses the TCP or the UDP [...] 
- 
                            Page 186Chapter 14 Definitions 186 Figure 14.8 Service definition — source and destination port setting Protocol Inspectors WinRoute includes special subroutines that monitor all traffic using application protocols, such as HTTP, FTP or others. The modules can be used to modify (filter) the communication or adapt the firewall’s behavior according t[...] 
- 
                            Page 18714.4 URL Groups 187 Note: 1. Generally, protocol inspectors cannot be applied to secured traffic (SSL/TLS). In this case, WinRoute “perceives” the traffic as binary data only. This implies that such traffic cannot be deciphered. 2. Under certain circumstances, appliance of a protocol inspector is not desirable. There- fore, it is possible to di[...] 
- 
                            Page 188Chapter 14 Definitions 188 Matching fields next to each item of the group can be either checked to activate or unchecked to disable the item. This way you can deactivate items with no need to remove them and to define them again. Click on the Add button to display a dialog where a new group can be created or a new item can be added to existing g[...] 
- 
                            Page 18914.4 URL Groups 189 Description The item’s description (comments and notes for the administrator).[...] 
- 
                            Page 190190 Chapter 15 User Accounts and Groups User accounts in WinRoute improve control of user access to the Internet from the local net- work. User accounts can be also used to access the WinRoute administration using the Admin- istration Console or the Web Administration interface. WinRoute supports several methods of user accounts and groups saving, [...] 
- 
                            Page 19115.1 Viewing and definitions of user accounts 191 Transparent cooperation with Active Directory (Active Directory mapping) WinRoute can use accounts and groups stored in Active Directory directly — no import to the local database is performed. Specific WinRoute parameters are added by the template of the corresponding account. These parameters [...] 
- 
                            Page 192Chapter 15 User Accounts and Groups 192 The searching is helpful especially when the domain includes too many accounts which might make it difficult to look up particular items. Hiding / showing disabled accounts It is possible to disable accounts in WinRoute . Check the Hide disabled user accounts to show only active (enabled) accounts. Account te[...] 
- 
                            Page 19315.2 Local user accounts 193 Note: It is also possible to select more than one account by using the Ctrl and Shift keys to perform mass changes of parameters for all selected accounts. In mapped Active Directory domains, it is not allowed to create or/and remove user accounts. These actions must be performed in the Active Directory database on the [...] 
- 
                            Page 194Chapter 15 User Accounts and Groups 194 Figure 15.2 Local user accounts in WinRoute Step 1 — basic information Figure 15.3 Creating a user account — basic parameters Name Username used for login to the account.[...] 
- 
                            Page 19515.2 Local user accounts 195 Warning The user name is not case-sensitive. We recommend not to use special characters (non- English languages) which might cause problems when authenticating at the firewall’s web interfaces. Full name A full name of the user (usually first name and surname). Description User description (e.g. a position in a comp[...] 
- 
                            Page 196Chapter 15 User Accounts and Groups 196 Warning 1. Passwords may contain printable symbols only (letters, numbers, punctuation marks). Password is case-sensitive. We recommend not to use special characters (non-English languages) which might cause problems when authenticating via the Web interface. 2. NTLM authentication cannot be used for automati[...] 
- 
                            Page 19715.2 Local user accounts 197 Step 3 — access rights Figure 15.5 Creating a new user account — user rights Each user must be assigned one of the following three levels of access rights. No access to administration The user has no rights to access the WinRoute administration. This setting is commonly used for the majority of users. Read only acce[...] 
- 
                            Page 198Chapter 15 User Accounts and Groups 198 is displayed. The unlock feature must also be enabled in the corresponding URL rule (for details, refer to chapter 12.2 ). User can dial RAS connection If the Internet connection uses dial-up lines, users with this right will be allowed to dial and hang up these lines in the Web interface (see chapter 11 ). U[...] 
- 
                            Page 19915.2 Local user accounts 199 Figure 15.6 Creating a new user account — data transmission quota make such users to reduce their network activities). For detailed information, see chapter 9 . Check the Notify user by email when quota is exceeded option to enable sending of warn- ing messages to the user in case that a quota is exceeded. A valid ema[...] 
- 
                            Page 200Chapter 15 User Accounts and Groups 200 Don’t block further traffic mode • resetting of the data volume counter of the user (see chapter 20.1 ). 2. Actions for quota-exceeding are not applied if the user is authenticated at the firewall. This would block all firewall traffic as well as all local users. However, transferred data is included in[...] 
- 
                            Page 20115.2 Local user accounts 201 Pop-up windows Automatic opening of new browser windows — usually pop-up windows with advertise- ments. This option will allow / block the window.open() method in JavaScript . <Applet> HTML tags Applets in Java . Cross-domain referers This option allows / blocks the Referer item included in an HTTP header. The R[...] 
- 
                            Page 202Chapter 15 User Accounts and Groups 202 Figure 15.8 Creating a new user account — IP addresses for VPN client and automatic logins Automatic login can be set for the firewall (i.e. for the WinRoute host) or/and for any other host(s) (i.e. when the user connects also from an additional workstation, such as notebooks, etc.). An IP address group ca[...] 
- 
                            Page 20315.3 Local user database: external authentication and import of accounts 203 15.3 Local user database: external authentication and import of accounts User in the local database can be authenticated either at the Active Directory domain or at the Windows NT domain (see chapter 15.2 , step one). To apply these authentication methods, the WinRoute hos[...] 
- 
                            Page 204Chapter 15 User Accounts and Groups 204 Figure 15.9 Import of accounts from Active Directory Figure 15.10 Importing accounts from the Windows NT domain 15.4 User accounts in Active Directory — domain mapping In WinRoute , it is possible to directly use user accounts from one or more Active Directory domain(s). This feature is called either transp[...] 
- 
                            Page 20515.4 User accounts in Active Directory — domain mapping 205 Directory and forward them to the corresponding domain server. If another DNS server is used, user authentication in the Active Directory may not work correctly. • For mapping of multiple domains: 1. The WinRoute host must be a member of one of the mapped domains. This domain will be s[...] 
- 
                            Page 206Chapter 15 User Accounts and Groups 206 The first page of the wizard requires the full name of the Active Directory domain (e.g. company.com ) and name and password of a user with rights to add hosts to domains. If WinRoute cannot find the domain server of the specified domain automatically, it requires specification of its IP address in the ne[...] 
- 
                            Page 20715.4 User accounts in Active Directory — domain mapping 207 Figure 15.13 Advanced options for cooperation with the Active Directory. If WinRoute is installed on Windows , it is possible to allow authentication compatible with older systems (i.e. authentication via the Windows NT domain). This option is required if the domain server uses Windows N[...] 
- 
                            Page 208Chapter 15 User Accounts and Groups 208 Secured connection to the domain server For higher security (to prevent from tapping of traffic and exploiting user passwords), connection to the Active Directory can be encrypted. Enabling of encrypted connection requires corresponding settings on the particular domain server (or on all servers of the partic[...] 
- 
                            Page 20915.4 User accounts in Active Directory — domain mapping 209 Use buttons Add or Edit to open a dialog for a new domain definition and enter parameters of the mapped domain. For details, see above (Primary domain mapping and Advanced options). Collision of Active Directory with the local database and conversion of accounts During Active Directory [...] 
- 
                            Page 210Chapter 15 User Accounts and Groups 210 15.5 User groups User accounts can be sorted into groups. Creating user groups provides the following benefits: • Specific access rights can be assigned to a group of users. These rights complement rights of individual users. • Each group can be used when traffic and access rules are defined. This simp[...] 
- 
                            Page 21115.5 User groups 211 The searching is helpful especially when the domain includes too many groups which might make it difficult to look up particular items. Creating a new local user group In the Domain combo box in Groups , select Local User Database. Click Add to start a wizard where a new user group can be created. Step 1 — Name and descriptio[...] 
- 
                            Page 212Chapter 15 User Accounts and Groups 212 Using the Add and Remove buttons you can add or remove users to/from the group. If user accounts have not been created yet, the group can be left empty and users can be added during the account definition (see chapter 15.1 ). Hint When adding new users you can select multiple user accounts by holding either [...] 
- 
                            Page 21315.5 User groups 213 Additional rights: Users can override WWW content rules User belonging to the group can customize personal web content filtering settings (see chapter 15.2 ). User can unlock URL rules This option allows its members one-shot bypassing of denial rules for blocked websites (if allowed by the corresponding URL rule — see chapte[...] 
- 
                            Page 214214 Chapter 16 Administrative settings 16.1 System configuration (Software Appliance / VMware Virtual Appli- ance) In the Software Appliance / VMware Virtual Appliance edition, the WinRoute administration console allows setting of a few basic parameters of the firewall’s operating system. These settings are necessary for correct functionality o[...] 
- 
                            Page 21516.2 Setting Remote Administration 215 firewall’s system time. The time zone also includes information about daylight saving time settings. Kerio Technologies offers the following free NTP servers for this purpose: 0.kerio.pool.ntp.org , 1.kerio.pool.ntp.org , 2.kerio.pool.ntp.org and 3.kerio.pool.ntp.org . 16.2 Setting Remote Administration Re[...] 
- 
                            Page 216Chapter 16 Administrative settings 216 Hint In WinRoute , you can use a similar method to allow or block remote administration of Kerio MailServer — for connection via the Administration Console , use the predefined service KMS Admin , for the Web Administration use HTTPS . Note: Be very careful while defining traffic rules, otherwise you could[...] 
- 
                            Page 21716.3 Update Checking 217 • 2 minutes after each startup of the WinRoute Firewall Engine , • and then every 24 hours. Results of each attempted update check (successful or not) is logged into the Debug log (see chapter 22.6 ). Check also for beta versions Enable this option if you want WinRoute to perform also update checks for beta versions. If[...] 
- 
                            Page 218218 Chapter 17 Advanced security features 17.1 P2P Eliminator Peer-to-Peer ( P2P ) networks are world-wide distributed systems, where each node can repre- sent both a client and a server. These networks are used for sharing of big volumes of data (this sharing is mostly illegal). DirectConnect and Kazaa are the most popular ones. In addition to ill[...] 
- 
                            Page 21917.1 P2P Eliminator 219 Figure 17.1 Detection settings and P2P Eliminator allowance of only certain services and length of the period for which restrictions will be ap- plied). The email is sent only if a valid email address (see chapter 15.1 ) is specified in the particular user account. This option does not apply to unauthenticated users. The Tr[...] 
- 
                            Page 220Chapter 17 Advanced security features 220 Note: 1. If a user who is allowed to use P2P networks (see chapter 15.1 ) is connected to the fire- wall from a certain host, no P2P restrictions are applied to this host. Settings in the P2P Eliminator tab are always applied to unauthorized users. 2. Information about P2P detection and blocked traffic can[...] 
- 
                            Page 22117.2 Special Security Settings 221 Number of suspicious connections Big volume of connections established from the client host is a typical feature of P2P networks (usually one connection for each file). The Number of connections value defines maximal number of client’s network connections that must be reached to consider the traffic as suspici[...] 
- 
                            Page 222Chapter 17 Advanced security features 222 Figure 17.4 Security options — Anti-Spoofing and cutting down number of connections for one host Anti-Spoofing Anti-Spoofing checks whether only packets with allowed source IP addresses are received at individual interfaces of the WinRoute host. This function protects WinRoute host from attacks from th[...] 
- 
                            Page 22317.2 Special Security Settings 223 These restrictions protects firewall ( WinRoute host) from overload and may also help protect it from attacks to the target server, reduce activity and impact of a worm or Trojan horse. Count limit for outgoing connections is useful for example when a local client host is at- tacked by a worm or Trojan horse whic[...] 
- 
                            Page 224224 Chapter 18 Other settings 18.1 Routing table Using Administration Console you can view or edit the system routing table of the host where WinRoute is running. This can be useful especially to resolve routing problems remotely (it is not necessary to use applications for terminal access, remote desktop, etc.). To view or modify the routing table[...] 
- 
                            Page 22518.1 Routing table 225 Note: Changes in the routing table might interrupt the connection between the WinRoute Fire- wall Engine and the Administration Console . We recommend to check the routing table thor- oughly before clicking the Apply button! Route Types The following route types are used in the WinRoute routing table: • System routes — ro[...] 
- 
                            Page 226Chapter 18 Other settings 226 Figure 18.2 Adding a route to the routing table Network, Network Mask IP address and mask of the destination network. Interface Selection of an interface through which the specific packet should be forwarded. Gateway IP address of the gateway (router) which can route to the destination network. The IP address of the g[...] 
- 
                            Page 22718.2 Universal Plug-and-Play (UPnP) 227 Removing routes from the Routing Table Using the Remove button in the WinRoute admin console, records can be removed from the routing table. The following rules are used for route removal: • Static routes in the Static Routes folder are managed by WinRoute . Removal of any of the static routes would remove [...] 
- 
                            Page 228Chapter 18 Other settings 228 Enable UPnP This option enables UPnP. Warning If WinRoute is running on Windows XP , Windows Server 2003 , Windows Vista or Windows Server 2008 , check that the following system services are not running before you start the UPnP function: • SSDP Discovery Service • Universal Plug and Play Device Host If any of thes[...] 
- 
                            Page 22918.3 Relay SMTP server 229 18.3 Relay SMTP server WinRoute provides a function which enables notification to users or/and administrators by email alerts. These alert messages can be sent upon various events, for example when a virus is detected (see chapter 13.3 ), when a Peer-to-Peer network is detected (refer to chapter 17.1 ), when an alert fun[...] 
- 
                            Page 230Chapter 18 Other settings 230 be used for reference in recipient’s mail client or for email classification. This is why it is always recommended to specify sender’s email address in WinRoute . Connection test Click Test to test functionality of sending of email via the specified SMTP server. WinRoute sends a testing email message to the speci[...] 
- 
                            Page 231231 Chapter 19 Status Information WinRoute activities can be well monitored by the administrator (or by other users with ap- propriate rights). There are three types of information — status monitoring, statistics and logs. • Communication of each computer, users connected or all connections using WinRoute can be monitored. Note: 1. WinRoute mon[...] 
- 
                            Page 232Chapter 19 Status Information 232 Figure 19.1 List of active hosts and users connected to the firewall User Name of the user which is connected from a particular host. If no user is connected, the item is empty. Currently Rx, Currently Tx Monitors current traffic speed (kilobytes per second) in both directions (from and to the host — Rx values r[...] 
- 
                            Page 23319.1 Active hosts and connected users 233 Connections Total number of connections to and from the host. Details can be displayed in the context menu (see below) Authentication method Authentication method used for the recent user connection: • plaintext — user is connected through an insecure login site plaintext • SSL — user is connected t[...] 
- 
                            Page 234Chapter 19 Status Information 234 User quota Use this option to show quota of the particular user ( Administration Console switches to the User quota tab in Status → Statistics and selects the particular user automatically). The User quota option is available in the context menu only for hosts from which a user is connected to the firewall. Refr[...] 
- 
                            Page 23519.1 Active hosts and connected users 235 Login information Information on logged-in users: • User — name of a user, DNS name (if available) and IP address of the host from which the user is connected • Login time — date and time when a user logged-in, authentication method that was used and inactivity time (idle). If no user is connected f[...] 
- 
                            Page 236Chapter 19 Status Information 236 • FTP — DNS name or IP address of the server, size of downloaded/saved data, information on currently downloaded/saved file (name of the file including the path, size of data downloaded/uploaded from/to this file). • Multimedia (real time transmission of video and audio data) — DNS name or IP address of [...] 
- 
                            Page 23719.1 Active hosts and connected users 237 The following columns are hidden by default. They can be shown through the Modify columns dialog opened from the context menu (for details, see chapter 3.2 ). Source port, Destination port Source and destination port (only for TCP and UDP protocols). Protocol Protocol used for the transmission (TCP, UDP, et[...] 
- 
                            Page 238Chapter 19 Status Information 238 Figure 19.6 Information on selected host and user — traffic histogram Select an item from the Time interval combo box to specify a time period which the chart will refer to (2 hours or 1 day). The x axis of the chart represents time and the y axis represents traffic speed. The x axis is measured accordingly to a [...] 
- 
                            Page 23919.2 Network connections overview 239 • connections from other hosts to services provided by the host with WinRoute • connections performed by clients within the Internet that are mapped to services run- ning in LAN WinRoute administrators are allowed to close any of the active connections. Note: 1. Connections among local clients will not be d[...] 
- 
                            Page 240Chapter 19 Status Information 240 Source, Destination IP address of the source (the connection initiator) and of the destination. If there is an appropriate reverse record in DNS, the IP address will be substituted with the DNS name. The following columns are hidden by default. They can be enabled through the Modify columns dialog opened from the c[...] 
- 
                            Page 24119.2 Network connections overview 241 Figure 19.8 Context menu for Connections Refresh This option will refresh the information in the Connections window immediately. This function is equal to the function of the Refresh button at the bottom of the window. Auto refresh Settings for automatic refreshing of the information in the Connections window. [...] 
- 
                            Page 242Chapter 19 Status Information 242 For each item either a color or the Default option can be chosen. Default colors are set in the operating system (the common setting for default colors is black font and white background). Font Color • Active connections — connections with currently active data traffic • Inactive connections — TCP connectio[...] 
- 
                            Page 24319.4 Alerts 243 • IP address — public IP address of the host which the client connects from (see the Hostname column above). • Client status — connecting , authenticating ( WinRoute verifies username and password), authenticated (username and password correct, client configuration in progress), con- nected (the configuration has been com[...] 
- 
                            Page 244Chapter 19 Status Information 244 Figure 19.12 Alert Definitions alert Type of the event upon which the alert will be sent: • Virus detected — antivirus engine has detected a virus in a file transmitted by HTTP, FTP, SMTP or POP3 (refer to chapter 13 ). • Portscan detected — WinRoute has detected a port scanning attack (either an attack p[...] 
- 
                            Page 24519.4 Alerts 245 cense/subscription (or license of any module integrated in WinRoute , such as Kerio Web Filter , the McAfee antivirus, etc.) is getting closer. The WinRoute admin- istrator should check the expiration dates and prolong a corresponding license or subscription (for details, refer to chapter 4 ). • Dial / Hang-up of RAS line WinRoute[...] 
- 
                            Page 246Chapter 19 Status Information 246 In the Administration Console , alerts are displayed in the language currently set as preferred (see Kerio Administration Console — Help ). If alert templates in the language are not available, English version is used instead. Email and SMS alerts are always in English. Note: In the current WinRoute version, aler[...] 
- 
                            Page 24719.4 Alerts 247 Figure 19.14 Details of a selected event[...] 
- 
                            Page 248248 Chapter 20 Basic statistics Statistical information about users (volume of transmitted data, used services, categorization of web pages) as well as of network interfaces of the WinRoute host (volume of transmitted data, load on individual lines) can be viewed in WinRoute . In the Administration Console , it is possible to view basic quota infor[...] 
- 
                            Page 24920.1 Volume of transferred data and quota usage 249 Figure 20.1 User statistics is related to the user (the IN direction stands for data received by the user, while OUT represents data sent by the user). Hiding/showing of columns is addressed in chapter 3.2 . 2. Information of volume of data transferred by individual users is saved in the stats.cfg[...] 
- 
                            Page 250Chapter 20 Basic statistics 250 Warning Be aware that using this option for the all users item resets counters of all users, including unrecognized ones! Note: Values of volumes of transferred data are also used to check user traffic quota (see chapter 15.1 ). Reset of user statistics also unblocks traffic of the particular user in case that the tr[...] 
- 
                            Page 25120.2 Interface statistics 251 Figure 20.3 Firewall’s interface statistics Example The WinRoute host connects to the Internet through the Public interface and the local network is connected to the LAN interface. A local user downloads 10 MB of data from the Internet. This data will be counted as follows: • IN at the Public interface is counted a[...] 
- 
                            Page 252Chapter 20 Basic statistics 252 Refresh This option will refresh the information on the Interface Statistics tab immediately. This function is equal to the function of the Refresh button at the bottom of the window. Auto refresh Settings for automatic refreshing of the information on the Interface Statistics tab. Infor- mation can be refreshed in t[...] 
- 
                            Page 25320.2 Interface statistics 253 The period ( 2 hours or 1 day ) can be selected in the Time interval box. The selected time range is always understood as the time until now (“last 2 hours” or “last 24 hours”). The x axis of the chart represents time and the y axis represents traffic speed. The x axis is measured accordingly to a selected time[...] 
- 
                            Page 254254 Chapter 21 Kerio StaR - statistics and reporting The WinRoute’s web interface provides detailed statistics on users, volume of transferred data, visited websites and web categories. This information may help figure out browsing activities and habits of individual users. The statistics monitor the traffic between the local network and the Int[...] 
- 
                            Page 25521.1 Monitoring and storage of statistic data 255 is represented by several files on the disk. This implies that any data is kept in the cache even if the WinRoute Firewall Engine is stopped or another problem occurs (failure of power supply, etc.) though not having been stored in the database yet. The statistics use data from the main database. T[...] 
- 
                            Page 256Chapter 21 Kerio StaR - statistics and reporting 256 The following example addresses case of a mapped web server accessible from the Internet. Any (anonymous) user in the Internet can connect to the server. However, web servers are usually located on a special machine which is not used by any user. Therefore, all traffic of this server will be acco[...] 
- 
                            Page 25721.2 Settings for statistics and quota 257 Enable/disable gathering of statistic data The Gather Internet Usage statistics option enables/disables all statistics (i.e. stops gath- ering of data for statistics). The Monitor user browsing behavior option enables monitoring and logging of browsing activity of individual users. If is not necessary to g[...] 
- 
                            Page 258Chapter 21 Kerio StaR - statistics and reporting 258 Statistics and quota exceptions On the Exceptions tab, it is possible to define exceptions for statistics and for transferred data quota. This feature helps avoid gathering of irrelevant information. Thus, statistics are kept trans- parent and gathering and storage of needless data is avoided. F[...] 
- 
                            Page 25921.3 Connection to StaR and viewing statistics 259 For details on IP groups, see chapter 14.1 . Users and groups Select users and/or user groups which will be excluded from the statistics and no quota will be applied to them. This setting has the highest priority and overrules any other quota settings in user or group preferences. For details on us[...] 
- 
                            Page 260Chapter 21 Kerio StaR - statistics and reporting 260 Note: Within local systems, secured traffic would be useless and the browser would bother user with needless alerts. Remote access to the statistics It is also possible to access the statistics remotely, i.e. from any host which is allowed to connect to the WinRoute host and the web interface’s[...] 
- 
                            Page 26121.3 Connection to StaR and viewing statistics 261 Updating data in StaR First of all, the StaR interface is used for gathering of statistics and creating of reviews for cer- tain periods. To WinRoute , gathering and evaluation of information for StaR means processing of large data volumes. To reduce load on the firewall, data for StaR is updated [...] 
- 
                            Page 262262 Chapter 22 Logs Logs are files where history of certain events performed through or detected by WinRoute are recorded and kept. Each log is displayed in a window in the Logs section. Each event is represented by one record line. Each line starts with a time mark in brackets (date and time when the event took place, in seconds). This mark is fo[...] 
- 
                            Page 26322.1 Log settings 263 Figure 22.1 Log settings File Logging Use the File Logging tab to define file name and rotation parameters. Enable logging to file Use this option to enable/disable logging to file according to the File name entry (the .log extension will be appended automatically). If this option is disabled, none of the following paramet[...] 
- 
                            Page 264Chapter 22 Logs 264 Figure 22.2 File logging settings ter 21.2 ). Rotation follows the rules described above. Syslog Logging Parameters for logging to a Syslog can be defined in the External Logging tab. Figure 22.3 Syslog settings[...] 
- 
                            Page 26522.2 Logs Context Menu 265 Enable Syslog logging Enable/disable logging to a Syslog server. If this option is disabled, none of the following parameters and settings will be available. Syslog server DNS name or IP address of the Syslog server. Facility Facility that will be used for the particular WinRoute log (depends on the Syslog server). Severi[...] 
- 
                            Page 266Chapter 22 Logs 266 The Save log option opens a dialog box where the following optional parameters can be set: Figure 22.5 Saving a log to a file • Target file — name of the file where the log will be saved. By default, a name derived from the file name is set. The file extension is set automatically in accor- dance with the format selecte[...] 
- 
                            Page 26722.2 Logs Context Menu 267 Hint Select a new encoding type if special characters are not printed correctly in non-English versions. Log Settings A dialog where log parameters such as log file name, rotation and Syslog parameters can be set. These parameters can also be set in the Log settings tab under Configuration → Accounting . For details, [...] 
- 
                            Page 268Chapter 22 Logs 268 Highlighting rules are ordered in a list. The list is processed from the top. The first rule meeting the criteria stops other processing and the found rule is highlighted by the particular color. Thanks to these features, it is possible to create even more complex combinations of rules, exceptions, etc. In addition to this, eac[...] 
- 
                            Page 26922.3 Alert Log 269 22.3 Alert Log The Alert log provides a complete history of alerts generated by WinRoute (e.g. alerts upon virus detection, dialing and hanging-up, reached quotas, detection of P2P networks, etc.). Each event in the Alert log includes a time stamp (date and time when the event was logged) and information about an alert type (in c[...] 
- 
                            Page 270Chapter 22 Logs 270 Example [18/Apr/2008 10:27:46] james - insert StaticRoutes set Enabled=’1’, Description=’VPN’, Net=’192.168.76.0’, Mask=’255.255.255.0’, Gateway=’192.168.1.16’, Interface=’LAN’, Metric=’1’ • [18/Apr/2008 10:27:46] — date and time when the record was written • jsmith — the login name of the use[...] 
- 
                            Page 27122.6 Debug Log 271 • [18/Apr/2008 10:22:47] — date and time when the event was logged (note: Con- nection logs are saved immediately after a disconnection). • [ID] 613181 — WinRoute connection identification number • [Rule] NAT — name of the traffic rule which has been used (a rule by which the traffic was allowed or denied). • [Serv[...] 
- 
                            Page 272Chapter 22 Logs 272 Figure 22.8 Expression for traffic monitored in the debug log The expression must be defined with special symbols. After clicking on the Help button, a brief description of possible conditions and examples of their use will be displayed. Logging of IP traffic can be cancelled by leaving or setting the Expression entry blank. Sh[...] 
- 
                            Page 27322.7 Dial Log 273 • WAN / Dial-up messages information about dialed lines (request dialing, auto disconnection down-counter), • Filtering — logs proving information on filtering of traffic passing through WinRoute (antivirus control, website classification, detection and elimination of P2P networks, dropped packets, etc.), • Accounting ?[...] 
- 
                            Page 274Chapter 22 Logs 274 connection time 00:15:53, 1142391 bytes received, 250404 bytes transmitted The first log item is recorded upon reception of a hang-up request. The log provides information about interface name, client type, IP address and username. The second event is logged upon a successful hang-up. The log provides information about interfac[...] 
- 
                            Page 27522.8 Error Log 275 Another event is logged upon a successful connection (i.e. when the line is dialed, upon authentication on a remote server, etc.). 6. Connection error (e.g. error at the modem was detected, dial-up was disconnected, etc.) [15/Mar/2008 15:59:08] DNS query for "www.microsoft.com" (packet UDP 192.168.1.2:4579 -> 195.146[...] 
- 
                            Page 276Chapter 22 Logs 276 • 8100-8199 — errors of the Kerio Web Filter module • 8200-8299 — authentication subsystem errors • 8300-8399 — anti-virus module errors (anti-virus test not successful, problems when storing temporary files, etc.) • 8400-8499 — dial-up error (unable to read defined dial-up connections, line configu- ration er[...] 
- 
                            Page 27722.10 Http log 277 Packet log example [16/Apr/2008 10:51:00] PERMIT ’Local traffic’ packet to LAN, proto:TCP, len:47, ip/port:195.39.55.4:41272 -> 192.168.1.11:3663, flags: ACK PSH, seq:1099972190 ack:3795090926, win:64036, tcplen:7 • [16/Apr/2008 10:51:00] — date and time when the event was logged • PERMIT — action that was executed[...] 
- 
                            Page 278Chapter 22 Logs 278 An example of an HTTP log record in the Apache format 192.168.64.64 - jflyaway [18/Apr/2008:15:07:17 +0200] "GET http://www.kerio.com/ HTTP/1.1" 304 0 +4 • 192.168.64.64 — IP address of the client host • rgabriel — name of the user authenticated through the firewall (a dash is displayed if no user is authentic[...] 
- 
                            Page 27922.11 Security Log 279 Example [17/Jul/2008 11:46:38] Anti-Spoofing: Packet from LAN, proto:TCP, len:48, ip/port:61.173.81.166:1864 -> 195.39.55.10:445, flags: SYN, seq:3819654104 ack:0, win:16384, tcplen:0 • packet from — packet direction (either from , i.e. sent via the interface, or to , i.e. received via the interface) • LAN — interf[...] 
- 
                            Page 280Chapter 22 Logs 280 administration interface, WebAdmin SSL = secure web administration interface, Proxy = proxy server user authentication) • <IP address> — IP address of the computer from which the user attempted to authenticate • <reason> — reason of the authentication failure (nonexistent user / wrong pass- word) Note: For de[...] 
- 
                            Page 28122.14 Web Log 281 • 3000-3999 — warning from individual WinRoute modules (e.g. DHCP server, anti-virus check, user authentication, etc.) • 4000-4999 — license warnings (subscription expiration, forthcoming expiration of WinRoute’s license, Kerio Web Filter license, or the McAfee anti-virus license) Note: License expiration is considered t[...] 
- 
                            Page 282Chapter 22 Logs 282 Note: If the page title cannot be identified (i.e. for its content is compressed), the "Encoded content" will be reported. • http://www.kerio.com/ — URL pages[...] 
- 
                            Page 283283 Chapter 23 Kerio VPN WinRoute enables secure interconnection of remote private networks using an encrypted tun- nel and it provides clients secure access to their local networks via the Internet. This method of interconnection of networks (and of access of remote clients to local networks) is called virtual private network ( VPN ). WinRoute inc[...] 
- 
                            Page 284Chapter 23 Kerio VPN 284 • No special user accounts must be created for VPN clients. User accounts in WinRoute (or domain accounts if the Active Directory is used — see chapter 10.1 ) are used for authentication. • Statistics about VPN tunnels and VPN clients can be viewed in WinRoute (refer to chap- ter 20.2 ). 23.1 VPN Server Configuration[...] 
- 
                            Page 28523.1 VPN Server Configuration 285 Figure 23.2 VPN server settings — basic parameters The action will be applied upon clicking the Apply button in the Interfaces tab. IP address assignment Specification of a subnet (i.e. IP address and a corresponding network mask) from which IP addresses will be assigned to VPN clients and to remote endpoints o[...] 
- 
                            Page 286Chapter 23 Kerio VPN 286 later). 2. Regarding two VPN tunnels, it is also examined when establishing a connection whether the VPN subnet does not collide with IP ranges at the other end of the tunnel (remote endpoint). If a collision with an IP range is reported upon startup of the VPN server (upon click- ing Apply in the Interfaces tab), the VPN s[...] 
- 
                            Page 28723.1 VPN Server Configuration 287 Figure 23.4 VPN server settings — specification of DNS servers for VPN clients If the DNS module is already used as a DNS server for local hosts, it is recommended to use it also for VPN clients. The DNS module provides the fastest responses to client DNS requests and possible collision (inconsistency) of DNS r[...] 
- 
                            Page 288Chapter 23 Kerio VPN 288 WINS configuration for VPN clients The WINS service is used for resolution of hostnames to IP addresses within Microsoft Windows networks. Assigning of a WINS server address then allows VPN clients browse in LAN hosts ( Network Neighborhood / My Network Places ). Figure 23.5 VPN server settings — specification of WINS s[...] 
- 
                            Page 28923.2 Configuration of VPN clients 289 Figure 23.6 VPN server settings — server port and routes for VPN clients Custom Routes Other networks to which a VPN route will be set for the client can be specified in this section. By default, routes to all local subnets at the VPN server’s side are defined — see chapter 23.4 ). Hint Use the 255.255[...] 
- 
                            Page 290Chapter 23 Kerio VPN 290 Note: Remote VPN clients connecting to WinRoute are included toward the number of persons using the license (see chapters 4 and 4.6 ). Be aware of this fact when deciding on what license type should be purchased (or whether an add-on for upgrade to a higher number of users for the license should be bought). Hint: VPN client[...] 
- 
                            Page 29123.3 Interconnection of two private networks via the Internet (VPN tunnel) 291 23.3 Interconnection of two private networks via the Internet (VPN tunnel) WinRoute with support for VPN (VPN support is included in the typical installation) must be installed in both networks to enable creation of an encrypted tunnel between a local and a remote networ[...] 
- 
                            Page 292Chapter 23 Kerio VPN 292 Name of the tunnel Each VPN tunnel must have a unique name. This name will be used in the table of inter- faces, in traffic rules (see chapter 7.3 ) and interface statistics (details in chapter 20.2 ). Configuration Selection of a mode for the local end of the tunnel: • Active — this side of the tunnel will automatical[...] 
- 
                            Page 29323.3 Interconnection of two private networks via the Internet (VPN tunnel) 293 Figure 23.9 VPN tunnel — certificate fingerprints DNS Settings DNS must be set properly at both sends of the tunnel so that it is possible to connect to hosts in the remote network using their DNS names. One method is to add DNS records of the hosts (to the hosts fi[...] 
- 
                            Page 294Chapter 23 Kerio VPN 294 Figure 23.10 VPN tunnel’s routing configuration Connection establishment Active endpoints automatically attempt to recover connection whenever they detect that the corresponding tunnel has been disconnected (the first connection establishment is attempted immediately after the tunnel is defined and upon clicking the Ap[...] 
- 
                            Page 29523.3 Interconnection of two private networks via the Internet (VPN tunnel) 295 Note: VPN tunnels keeps their connection (by sending special packets in regular time intervals) even if no data is transmitted. This feature protects tunnels from disconnection by other firewalls or network devices between ends of tunnels. Traffic Policy Settings for VP[...] 
- 
                            Page 296Chapter 23 Kerio VPN 296 2. Traffic rules set by this method allow full IP communication between the local network, remote network and all VPN clients. For access restrictions, define corresponding traffic rules (for local traffic, VPN clients, VPN tunnel, etc.). Examples of traffic rules are provided in chapter 23.5 . 23.4 Exchange of routing inf[...] 
- 
                            Page 29723.5 Example of Kerio VPN configuration: company with a filial office 297 Routes provided automatically Unless any custom routes are defined, the following rules apply to the interchange of routing information: • default routes as well as routes to networks with default gateways are not exchanged (default gateway cannot be changed for remote V[...] 
- 
                            Page 298Chapter 23 Kerio VPN 298 The server (default gateway) of the headquarters uses the public IP address 63.55.21.12 (DNS name is newyork.company.com ), the server of the branch office uses a dynamic IP address assigned by DHCP. The local network of the headquarters consists of two subnets, LAN 1 and LAN 2 . The head- quarters uses the company.com DNS [...] 
- 
                            Page 29923.5 Example of Kerio VPN configuration: company with a filial office 299 Common method The following actions must be taken in both local networks (i.e. in the main office and the filial): 1. It is necessary that WinRoute in version 6.0.0 or higher (older versions do not include Kerio VPN ) is installed at the default gateway. Note: For each ins[...] 
- 
                            Page 300Chapter 23 Kerio VPN 300 6. In traffic rules, allow traffic between the local network, remote network and VPN clients and set desirable access restrictions. In this network configuration, all desirable restric- tions can be set at the headquarter’s server. Therefore, only traffic between the local network and the VPN tunnel will be enabled at th[...] 
- 
                            Page 30123.5 Example of Kerio VPN configuration: company with a filial office 301 In step 5, select Create rules for Kerio VPN server . Status of the Create rules for Kerio Clientless SSL-VPN option is irrelevant (this example does not include Clientless SSL-VPN interface’s issues). Figure 23.15 Headquarter — creating default traffic rules for Kerio [...] 
- 
                            Page 302Chapter 23 Kerio VPN 302 Figure 23.17 Headquarter — DNS forwarding settings • Set the IP address of this interface ( 10.1.1.1 ) as a primary DNS server for the WinRoute host’s interface connected to the LAN 1 local network. It is not necessary to set DNS server at the interface connected to LAN 2 — DNS configuration is applied globally to [...] 
- 
                            Page 30323.5 Example of Kerio VPN configuration: company with a filial office 303 • Set the IP address 10.1.1.1 as a primary DNS server also for the other hosts. Note: For proper functionality of DNS, the DNS database must include records for hosts in a corresponding local network. To achieve this, save DNS names and IP addresses of local hosts into th[...] 
- 
                            Page 304Chapter 23 Kerio VPN 304 5. Create a passive end of the VPN tunnel (the server of the branch office uses a dynamic IP address). Specify the remote endpoint’s fingerprint by the fingerprint of the certificate of the branch office VPN server. Figure 23.20 Headquarter — definition of VPN tunnel for a filial office 6. Customize traffic rules a[...] 
- 
                            Page 30523.5 Example of Kerio VPN configuration: company with a filial office 305 Figure 23.21 Headquarter — final traffic rules Rules defined this way meet all the restriction requirements. Traffic which will not match any of these rules will be blocked by the default rule (see chapter 7.3 ). Configuration of a filial office 1. Install WinRoute (v[...] 
- 
                            Page 306Chapter 23 Kerio VPN 306 In this case, it would be meaningless to create rules for the Kerio VPN server and/or the Kerio Clientless SSL-VPN , since the server uses a dynamic public IP address). Therefore, leave these options disabled in step 5. Figure 23.23 A filial — it is not necessary to create rules for the Kerio VPN server This step will cr[...] 
- 
                            Page 30723.5 Example of Kerio VPN configuration: company with a filial office 307 Figure 23.25 Filial office — DNS forwarding settings Figure 23.26 Filial office — TCP/IP configuration at a firewall’s interface connected to the local network • Set the IP address 192.168.1.1 as a primary DNS server also for the other hosts. Note: For proper func[...] 
- 
                            Page 308Chapter 23 Kerio VPN 308 certificate provided by a certification authority is available). Note: A free subnet which has been selected is now specified automatically in the VPN network and Mask entries. Figure 23.27 Filial office — VPN server configuration For a detailed description on the VPN server configuration, refer to chapter 23.1 . 5. [...] 
- 
                            Page 30923.5 Example of Kerio VPN configuration: company with a filial office 309 Figure 23.28 Filial office — definition of VPN tunnel for the headquarters Figure 23.29 Filial office — final traffic rules Note: It is not necessary to perform any other customization of traffic rules. The required restrictions should be already set in the traffic po[...] 
- 
                            Page 310Chapter 23 Kerio VPN 310 VPN test Configuration of the VPN tunnel has been completed by now. At this point, it is recommended to test availability of the remote hosts from each end of the tunnel (from both local networks). For example, the ping or/and tracert operating system commands can be used for this testing. It is recommended to test availab[...] 
- 
                            Page 31123.6 Example of a more complex Kerio VPN configuration 311 The headquarters uses the DNS domain company.com , filials use subdomains santaclara.company.com and newyork.company.com . Configuration of individual local networks and the IP addresses used are shown in the figure. Figure 23.30 Example of a VPN configuration — a company with two ?[...] 
- 
                            Page 312Chapter 23 Kerio VPN 312 To provide correct forwarding of DNS requests from a WinRoute host, it is necessary to use an IP address of a network device belonging to the host as the primary DNS server. As a secondary DNS server, a server where DNS requests addressed to other domains will be forwarded must be specified (typically the ISP’s DNS serve[...] 
- 
                            Page 31323.6 Example of a more complex Kerio VPN configuration 313 The following sections provide detailed description of the Kerio VPN configuration both for the headquarter and the filial offices. Headquarters configuration 1. Install WinRoute (version 6.1.0 or higher) at the default gateway of the headquarters network. 2. Use Network Rules Wizard (s[...] 
- 
                            Page 314Chapter 23 Kerio VPN 314 This step will create rules for connection of the VPN server as well as for communication of VPN clients with the local network (through the firewall). Figure 23.33 Headquarter — default traffic rules for Kerio VPN 3. Customize DNS configuration as follows: • In the WinRoute’s DNS module configuration, enable DNS f[...] 
- 
                            Page 31523.6 Example of a more complex Kerio VPN configuration 315 Figure 23.35 Headquarter — TCP/IP configuration at a firewall’s interface connected to the local network[...] 
- 
                            Page 316Chapter 23 Kerio VPN 316 4. Enable the VPN server and configure its SSL certificate (create a self-signed certificate if no certificate provided by a certification authority is available). Note: A free subnet which has been selected is now specified automatically in the VPN network and Mask entries. Check whether this subnet does not collide [...] 
- 
                            Page 31723.6 Example of a more complex Kerio VPN configuration 317 5. Create a passive endpoint of the VPN tunnel connected to the London filial. Use the fin- gerprint of the VPN server of the London filial office as a specification of the fingerprint of the remote SSL certificate. Figure 23.37 Headquarter — definition of VPN tunnel for the Londo[...] 
- 
                            Page 318Chapter 23 Kerio VPN 318 Figure 23.38 The headquarters — routing configuration for the tunnel connected to the London filial Warning In case that the VPN configuration described here is applied (see figure 23.30 ), it is un- recommended to use automatically provided routes! In case of an automatic exchange of routes, the routing within the VP[...] 
- 
                            Page 31923.6 Example of a more complex Kerio VPN configuration 319 6. Use the same method to create a passive endpoint for the tunnel connected to the Paris filial. Figure 23.39 The headquarters — definition of VPN tunnel for the Paris filial On the Advanced tab, select the Use custom routes only option and set routes to the sub- nets at the remote e[...] 
- 
                            Page 320Chapter 23 Kerio VPN 320 Figure 23.40 The headquarters — routing configuration for the tunnel connected to the Paris filial Figure 23.41 Headquarter — final traffic rules[...] 
- 
                            Page 32123.6 Example of a more complex Kerio VPN configuration 321 Configuration of the London filial 1. Install WinRoute (version 6.1.0 or higher) at the default gateway of the filial’s network. 2. Use Network Rules Wizard (see chapter 7.1 ) to configure the basic traffic policy in WinRoute . To keep the example as simple as possible, it is suppose[...] 
- 
                            Page 322Chapter 23 Kerio VPN 322 This step will create rules for connection of the VPN server as well as for communication of VPN clients with the local network (through the firewall). Figure 23.44 The London filial office — default traffic rules for Kerio VPN 3. Customize DNS configuration as follows: • In the WinRoute’s DNS module configuration[...] 
- 
                            Page 32323.6 Example of a more complex Kerio VPN configuration 323 Figure 23.46 The London filial office — VPN server configuration For a detailed description on the VPN server configuration, refer to chapter 23.1 . 5. Create an active endpoint of the VPN tunnel which will connect to the headquarters server ( newyork.company.com ). Use the fingerpri[...] 
- 
                            Page 324Chapter 23 Kerio VPN 324 branch office server. Figure 23.47 The London filial office — definition of VPN tunnel for the headquarters[...] 
- 
                            Page 32523.6 Example of a more complex Kerio VPN configuration 325 Figure 23.48 The London filial — routing configuration for the tunnel connected to the headquarters[...] 
- 
                            Page 326Chapter 23 Kerio VPN 326 6. Create a passive endpoint of the VPN tunnel connected to the Paris filial. Use the finger- print of the VPN server of the Paris filial office as a specification of the fingerprint of the remote SSL certificate. Figure 23.49 The London filial office — definition of VPN tunnel for the Paris filial office On the [...] 
- 
                            Page 32723.6 Example of a more complex Kerio VPN configuration 327 Figure 23.50 The London filial — routing configuration for the tunnel connected to the Paris branch office Figure 23.51 The London filial office — final traffic rules[...] 
- 
                            Page 328Chapter 23 Kerio VPN 328 Configuration of the Paris filial 1. Install WinRoute (version 6.1.0 or higher) at the default gateway of the filial’s network. 2. Use Network Rules Wizard (see chapter 7.1 ) to configure the basic traffic policy in WinRoute . To keep the example as simple as possible, it is supposed that the access from the local net[...] 
- 
                            Page 32923.6 Example of a more complex Kerio VPN configuration 329 3. Customize DNS configuration as follows: • In the WinRoute’s DNS module configuration, enable DNS forwarder (forwarding of DNS requests to other servers). • Enable the Use custom forwarding option and define rules for names in the company.com and filial1.company.com domains. Spe[...] 
- 
                            Page 330Chapter 23 Kerio VPN 330 Figure 23.55 The Paris filial office — VPN server configuration[...] 
- 
                            Page 33123.6 Example of a more complex Kerio VPN configuration 331 5. Create an active endpoint of the VPN tunnel which will connect to the headquarters server ( newyork.company.com ). Use the fingerprint of the VPN server of the headquarters as a specification of the fingerprint of the remote SSL certificate. Figure 23.56 The Paris filial office —[...] 
- 
                            Page 332Chapter 23 Kerio VPN 332 Paris branch office server. Figure 23.57 The Paris filial — routing configuration for the tunnel connected to the headquarters[...] 
- 
                            Page 33323.6 Example of a more complex Kerio VPN configuration 333 6. Create an active endpoint of the tunnel connected to London (server gw-london.company.com ). Use the fingerprint of the VPN server of the London filial office as a specification of the fingerprint of the remote SSL certificate. Figure 23.58 The Paris filial office — definition [...] 
- 
                            Page 334Chapter 23 Kerio VPN 334 Figure 23.59 The Paris filial — routing configuration for the tunnel connected to the London branch office Figure 23.60 The Paris filial office — final traffic rules connect to this branch office). VPN test The VPN configuration has been completed by now. At this point, it is recommended to test reachability of the[...] 
- 
                            Page 335335 Chapter 24 Kerio Clientless SSL-VPN (Windows) Kerio Clientless SSL-VPN (thereinafter “ SSL-VPN ”) is a special interface used for secured remote access to shared items (files and folders) in the network protected by WinRoute via a web browser. This interface is available only in WinRoute on Windows . To a certain extent, the SSL-VPN interf[...] 
- 
                            Page 336Chapter 24 Kerio Clientless SSL-VPN (Windows) 336 SSL-VPN interface configuration The SSL-VPN interface can be enabled/disabled on the Web Interface → SSL-VPN in the Config- uration → Advanced Options section. Figure 24.1 Configuration of the SSL-VPN interface Through the Advanced button, you can get to configuration of a port and SSL certi[...] 
- 
                            Page 33724.2 Usage of the SSL-VPN interface 337 Allowing access from the Internet Access to the SSL-VPN interface from the Internet must be allowed by defining a traffic rule allowing connection to the firewall’s HTTPS service. For details, see chapter 7.4 . Figure 24.3 Traffic rule allowing connection to the SSL-VPN interface Note: If the port for SSL[...] 
- 
                            Page 338338 Chapter 25 Specific settings and troubleshooting This chapter provides description of advanced features and specific configurations of the fire- wall. It also includes helpful guidelines for solving of issues which might occur when you use WinRoute in your network. 25.1 Configuration Backup and Transfer If you need to reinstall the firewa[...] 
- 
                            Page 33925.2 Configuration files 339 25.2 Configuration files This chapter provides clear descriptions of WinRoute configuration and status files. This infor- mation can be helpful for example when troubleshooting specific issues in cooperation with the Kerio Technologies technical support department. For backup and recovery of your firewall confi[...] 
- 
                            Page 340Chapter 25 Specific settings and troubleshooting 340 Status files In addition, WinRoute generates other files and directories where certain status information is saved: Files: dnscache.cfg DNS files stored in the DNS module’s cache (see chapter 8.1 ). leases.cfg IP addresses assigned by the DHCP server. This file keeps all information availa[...] 
- 
                            Page 34125.3 Automatic user authentication using NTLM 341 General conditions The following conditions are applied to this authentication method: 1. WinRoute Firewall Engine is running as a service or it is running under a user account with administrator rights to the WinRoute host. 2. The server (i.e. the WinRoute host) belongs to a corresponding Windows N[...] 
- 
                            Page 342Chapter 25 Specific settings and troubleshooting 342 The configuration of the WinRoute’s web interface must include a valid DNS name of the server on which WinRoute is running (for details, see chapter 11.1 ). Figure 25.2 Configuration of WinRoute’s Web Interface Note: In the Software Appliance / VMware Virtual Appliance edition, the server [...] 
- 
                            Page 34325.4 FTP on WinRoute’s proxy server 343 NTLM authentication arise, it is recommended to remove all usernames/passwords for the server where WinRoute is installed from the Password Manager . Firefox/SeaMonkey The browser displays the login dialog. For security reasons, automatic user authentica- tion is not used by default in the browser. This beh[...] 
- 
                            Page 344Chapter 25 Specific settings and troubleshooting 344 Terminal FTP clients (such as the ftp command in Windows or Linux ) do not allow config- uration of the proxy server. For this reason, they cannot be used for our purposes. 2. To connect to FTP servers, the proxy server uses the passive FTP mode. If FTP server is protected by a firewall which [...] 
- 
                            Page 34525.4 FTP on WinRoute’s proxy server 345 Figure 25.3 Configuring proxy server in Internet Explorer 6.0 Hint To configure web browsers, you can use a configuration script or the automatic detection of configuration. For details, see chapter 8.4 . Note: Web browsers used as FTP clients enable only to download files. Uploads to FTP server via we[...] 
- 
                            Page 346Chapter 25 Specific settings and troubleshooting 346 Figure 25.4 Setting proxy server for FTP in Total Commander Hint The defined proxy server is indexed and saved to the list of proxy servers automatically. Later, whenever you are creating other FTP connections, you can simply select a corresponding proxy server in the list. 25.5 Internet links [...] 
- 
                            Page 34725.5 Internet links dialed on demand 347 If WinRoute receives a packet from the local network, it will compare it with the system routing table. If the packets goes out to the Internet, no record will be found, since there is no default route in the routing table. Under usual circumstances, the packet would be dropped and a control message informin[...] 
- 
                            Page 348Chapter 25 Specific settings and troubleshooting 348 from the local host to the Internet, the packet will be dropped by the operating system before the WinRoute driver is able to capture it. 2. Typically the server is represented by the DNS name within traffic between clients and an Internet server. Therefore, the first packet sent by a client is[...] 
- 
                            Page 34925.5 Internet links dialed on demand 349 5. The Proxy server in WinRoute (see chapter 8.4 ) also provides direct dial-up connections. A special page providing information on the connection process is opened (the page is refreshed in short periods). Upon a successful connection, the browser is redirected to the specified Website. Unintentionally di[...] 
- 
                            Page 350Chapter 25 Specific settings and troubleshooting 350 All DNS names missing a suitable rule will be dialed automatically by the DNS module when demanded. In Actions for DNS name, you can select either the Dial or the Ignore option. Use the second option to block dialing of the line in response to a request for this DNS name. The Dial action can be [...] 
- 
                            Page 351351 Chapter 26 Technical support Free email and telephone technical support is provided for Kerio WinRoute Firewall . Contacts and more information can be found at http://www.kerio.com/support . Our technical sup- port staff is ready to help you with any problem you might have. You can also solve many problems alone (and sometimes even faster). Be[...] 
- 
                            Page 352Chapter 26 Technical support 352 as kerio_support_info.txt . Note: The kerio_support_info.txt is generated by the Administration Console . This implies that in case you connect to the administration remotely, this file will be stored on the computer from which you connect to the WinRoute administration (not on the computer/server where the WinRout[...] 
- 
                            Page 353353 Appendix A Legal Notices Microsoft  , Windows  , Windows NT  , Windows Vista  , Internet Explorer  , ActiveX  , and Active Directory  are registered trademarks or trademarks of Microsoft Corporation . Mac OS  and Safari  are registered trademarks or trademarks of Apple Computer, Inc. Linux  is registered trademark [...] 
- 
                            Page 354354 Appendix B Used open source items Kerio WinRoute Firewall contains the following open-source software (open source): bindlib Copyright  1983, 1993 The Regents of the University of California. All rights reserved. Portions Copyright  1993 by Digital Equipment Corporation. Firebird This software embeds modified version of Firebird database[...] 
- 
                            Page 355355 KVNET — driver Kerio Virtual Network Interface driver for Linux (driver for the Kerio VPN virtual network adapter) Copyright  Kerio Technologies s.r.o. Homepage: http://www.kerio.com/ Kerio Virtual Network Interface driver for Linux is distributed and licensed under GPL version 2. The complete source code is available at: http://download.k[...] 
- 
                            Page 356Appendix B Used open source items 356 PHP Copyright  1999-2006 The PHP Group. All rights reserved. This product includes PHP software available for free at: http://www.php.net/software/ php_mbstring Copyright  2001-2004 The PHP Group. Copyright  1998-2002 HappySize, Inc. All rights reserved. Prototype Framework in JavaScript. Copyright [...] 
- 
                            Page 357357 Glossary of terms ActiveX This Microsoft’s proprietary technology is used for creation of dynamic objects for web pages. This technology provides many features, such as writing to disk or execution of commands at the client (i.e. on the host where the Web page is opened). This technology provides a wide range of features, such as saving to di[...] 
- 
                            Page 358Glossary of terms 358 DMZ DMZ (demilitarized zone) is a reserved network area where services available both from the Internet and from the LAN are run (e.g. a company’s public web server). DMZ provides an area, where servers accessible for public are be located separately, so they cannot be misused for cracking into the LAN. More information can [...] 
- 
                            Page 359359 Ident The Ident protocol is used for identification of user who established certain TCP connec- tion from a particular (multi-user) system. The Ident service is used for example by IRC servers, FTP servers and other services. More information (in English) can be found for example at Wikipedia . IMAP Internet Message Access Protocol (IMAP) enab[...] 
- 
                            Page 360Glossary of terms 360 will be redirected to this host. Packets that do not match with any record in the NAT table will be dropped. • destination address translation ( Destination NAT, DNAT , it is also called port mapping) — is used to enable services in the local network from the Internet. If any packet incoming from the Internet meets certain[...] 
- 
                            Page 361361 Ports 1-1023 are reserved and used by well known services (e.g. 80 = WWW). Ports above 1023 can be freely used by any application. PPTP Microsoft’s proprietary protocol used for design of virtual private networks. See chapters and sections concerning VPN . Private IP addresses Local networks which do not belong to the Internet (private networ[...] 
- 
                            Page 362Glossary of terms 362 Routing table The information used by routers when making packet forwarding decisions (so called routes). Packets are routed according to the packet’s destination IP address. On Windows , routing table can be printed by the route print command, while on Unix systems ( Linux , Mac OS X , etc.) by the route command. Script A c[...] 
- 
                            Page 363363 • RST (Reset) — request on termination of a current connection and on initiation of a new one • URG (Urgent) — urgent packet • PSH (Push) — request on immediate transmission of the data to upper TCP/IP layers • FIN (Finalize) — connection finalization TCP/IP Name used for all traffic protocols used in the Internet (i.e. for IP,[...] 
- 
                            Page 364364 Index A Active Directory 196 domain mapping 204 import of user accounts 203 mapping of other domains 208 administration 27 remote 18 , 215 Administration Console 27 columns 31 views setup 31 alerts 243 overview 246 settings 243 templates 245 anti-spoofing 222 antivirus check 11 , 167 conditions 167 external antivirus 170 file size limits 171 [...] 
- 
                            Page 365365 local domain 107 dynamic DNS 119 F FTP 147 , 186 , 343 filtering rules 162 full cone NAT 87 G groups interface throughput charts 47 IP address 180 of forbidden words 160 URL 187 user groups 190 , 196 , 210 H H.323 186 hairpinning 102 HTTP 147 cache 124 content rating 154 filtering by words 158 logging of requests 154 proxy server 121 URL Rule[...] 
- 
                            Page 366Index 366 M media hairpinning 102 multihoming 93 N NAT 84 , 90 full cone NAT 87 , 101 NT domain import of user accounts 203 NTLM 138 , 139 configuration of web browsers 343 deployment 340 WinRoute configuration 341 P P2P Eliminator 218 Peer-to-Peer (P2P) networks 218 allow 198 , 213 deny 218 detection 235 ports 220 speed limit 218 policy routing [...] 
- 
                            Page 367367 traffic policy 71 created by wizard 75 default rule 77 definition 78 exceptions 95 Internet access limiting 94 wizard 71 transparent proxy 124 Trial ID 37 TTL 125 , 128 U uninstallation 19 update antivirus 168 WinRoute 216 upgrade 13 , 19 automatic update 216 UPnP settings 227 system services 16 user accounts 190 definition 191 domain mapping[...] 
- 
                            Page 368368[...] 

