Manuals / Kerio Tech / Computer Equipment / Network Router

Kerio Tech Firewall6 manual Firewall User Authentication, 121

Models: Firewall6

1 398

Download 398 pages 11.9 Kb

Page 121

Chapter 8

User Authentication

WinRoute allows administrators to monitor connections (packet, connection, Web pages or FTP objects and command ﬁltering) related to each user. The username in each ﬁlter- ing rule represents the IP address of the host(s) from which the user is connected (i.e. all hosts the user is currently connected from). This implies that a user group represents all IP addresses its members are currently connected from.

In addition to authentication based access limitations, user login can be used to eﬀec- tively monitor activity using logs (see chapter 2020)), and status (see chapter 17.2) and hosts and users (see chapter 17.1). If there is no user connected from a certain host, only the IP address of the host will be displayed in the logs and statistics.

8.1 Firewall User Authentication

Any user with their own account in WinRoute can authenticate at the ﬁrewall (regardless their access rights). Users can connect:

•Manually — by opening the WinRoute web interface in their browser https://server:4081/ or http://server:4080/

(the name of the server and the port numbers are examples only — see chapter 9). It is also possible to authenticate for viewing of the web statistics (see chapter 19) at https://server:4081/star or http://server:4080/star

The user will be also authenticated at the ﬁrewall within this authentication.

•Redirection — when accessing any website (unless access to this page is explicitly allowed to unauthenticated users — see chapter 10.2).

•Using NTLM — if Microsoft Internet Explorer or Firefox/Netscape/Mozilla/SeaMonkey is used and the user is authenticated in a Windows NT domain or Active Directory, the user can be authenticated automatically (the login page will not be displayed). For details, see chapter 23.3.

•Automatically — IP addresses of hosts from which they will be authenticated auto- matically can be associated with individual users. This actually means that whenever

121

Image 121

Kerio Tech Firewall6 manual Firewall User Authentication, 121

Contents

Kerio Technologies Administrator’s GuidePage Contents 113 Remote Administration and Update Checks 209 Kerio Clientless SSL-VPN 355 393 Quick Checklist Page Introduction Basic FeaturesKerio WinRoute Firewall Kerio WinRoute Firewall Additional FeaturesTransparent support for Active Directory Antivirus controlEmail alerts User quotasClientless SSL-VPN Conﬂicting softwareCollision of low-level drivers Port collisionAntivirus applications Installation InstallationSteps to be taken before the installation System requirementsInstallation and Basic Conﬁguration Guide Custom installation selecting optional components Protection of the installed product Conﬂicting Applications and System Services WinRoute Firewall Engine WinRoute ComponentsWinRoute Engine Monitor WinRoute Engine Monitor Kerio Administration ConsoleWinRoute Engine Monitor Upgrade and Uninstallation Uninstallation Upgrade and UninstallationTypically the path C\Program Files\Kerio\WinRoute Firewall Update Checker Upgrade from WinRoute ProSetting of administration username and password Conﬁguration WizardEnable remote access Remote AccessRemote IP address Initial conﬁguration Allowing remote administration Administration Window WinRoute AdministrationAdministration Window Main menu WinRoute AdministrationFile Help menuStatus bar Administration WindowDetection of WinRoute Firewall Engine connection drop-out Column customization in Interfaces View SettingsView Settings License types and number of users Product Registration and LicensingLicense types optional components Deciding on a number of users licenses License types and number of usersProduct License informationCopyright HomepageSubscription expiration date License IDProduct expiration date Number of usersRegistration of the trial version Registration of the product in the Administration ConsoleTrial version registration security code Registration of the product in the Administration ConsoleTrial version registration other information Trial version registration Trial ID Registration of the purchased productProduct Registration and Licensing Registration of the product in the Administration Console 10 Product registration user information 12 Product registration summary Update of registration informationProduct registration at the website Subscription / Update ExpirationBubble alerts Subscription / Update Expiration15 The notice that the subscription has already expired User counterStart WinRoute User counterLicense counter License release Network interfaces Settings for Interfaces and Network ServicesInterface IP Address and MaskAdapter info Dial or Hang Up /Enebale, DisableAdd ModifySpecial interfaces RefreshDial-In VPN serverInterface type selection Bind this interfaceUse the following login data Use login data from the RAS entryInterface name RAS EntryDial-up demand dial ConnectionAdvanced Hangup if idleEdit Interface parameters Connection FailoverEnable automatic connection failover Connection Failover SetupConnection Failover Current connectionConﬁguration of primary and secondary Internet connection Secondary connection Primary connectionDial-up Use DNS Forwarder conﬁguration DNS ForwarderDNS Forwarder Enable DNS forwardingDNS forwarding Enable DNS forwarding Enable cache for faster response of repeated queriesClear cache Use custom forwarding10 Speciﬁc settings of DNS forwarding 11 DNS forwarding a new rule Simple DNS resolutionCombine the name ... with DNS domain Before forwarding a queryDhcp server Dhcp Server Conﬁguration Dhcp serverDeﬁnition of Scopes and Reservations DNS server Lease timeWins server Domain15 Dhcp server IP scopes deﬁnition DescriptionSubnet mask First address, Last addressExclusions Parameters 00bca5f21e50 Lease ReservationsLeases Bc-a5-f2-1e-5020 Dhcp server list of leased and reserved IP addresses Windows RAS Dhcp server advanced optionsDeclined options Proxy serverProxy server Enable non-transparent proxy serverProxy Server Conﬁguration 22 Http proxy server settings Enable connection to any TCP portHttp//192.168.1.13128/pac/proxy.pac Forward to parent proxy serverEnable cache on proxy server Enable cache on transparent proxyHttp cache Http protocol TTLCache size Http cacheMax Http object size Memory cache sizeCache Options URL URL Speciﬁc SettingsTTL Cache status and administration26 Http cache administration dialog Network Rules Wizard Traﬃc PolicyInformation Network Rules WizardSelection of Internet connection type Network Policy Wizard selection of a connected adapter Network adapter or dial-up selectionAllow access to all services Internet access limitationsEnabling Kerio VPN traﬃc Allow access to the following services onlyService Service is running onGenerating the rules NATIcmp traﬃc Rules Created by the WizardLocal Traﬃc Firewall Traﬃc Deﬁnition of Custom Traﬃc Rules How traﬃc rules workName 12 Traﬃc rule name, color and rule description Source, DestinationIP range e.g Deﬁnition of Custom Traﬃc Rules 100 Service101 Action102 Log103 Translation20 Traﬃc rule destination address translation 104Protocol inspector Valid on105 IP Translation NAT Basic Traﬃc Rule TypesSource DestinationPlacing the rule TranslationPort mapping 107108 Multihoming Limiting Internet Access109 110 111 Exclusions112 Speed limits for big data volumes transmissions How the bandwidth limiter works and how to use itBandwidth Limiter Speed limits for users with their quota exceededBandwidth Limiter conﬁguration Setting limit valuesBandwidth Limiter 114Advanced Options Services115 116 IP Addresses and Time Interval117 Bandwidth Limiter selection of network services118 Detection of connections with large data volume transferredExamples Detection of connections with large data volume transferred119 120 Firewall User Authentication User Authentication121 User authentication advanced options User Authentication122 Redirection to the authentication Firewall User AuthenticationEnable non-transparent proxy server authentication Automatic authentication Ntlm124 Automatically logout users when they are inactiveEnable Web Interface Http Enable Kerio SSL-VPN serverWeb Interface Web Interface Parameters ConﬁgurationAllow access only from these IP addresses Enable secured Web Interface HttpsWeb Interface WinRoute server name127 Conﬁguration of ports of the Web InterfaceGenerate or Import Certiﬁcate SSL Certiﬁcate for the Web Interface128 SSL certiﬁcate of WinRoute’s Web interface 129Web Interface Language Preferences Login/logoutUsers logged 130Drdolittle@usoffice.company.com Login/logout131 Log out User password authentication132 Status information and user statistics Status information and user statistics133 134 User preferencesUser preferences Save settings135 136 10 Editing user passwordFTP protocol Http protocol137 URL Rules Conditions for Http and FTP ﬁltering138 139 URL Rules140 URL Rules DeﬁnitionURL matches criteria If user accessing the URL is141 142 Allow access to the Web siteValid for IP address group Valid at time intervalValid if Mime type is Denial optionsScan content for viruses according to scanning rules WWW content scanning optionsDeny Web pages containing 144145 Http Inspection Advanced OptionsAllow Html ActiveX objects Global rules for Web elementsAllow Script Html tags 146Allow Html JavaScript pop-up windows Content Rating System ISS OrangeWeb FilterAllow applet Html tags Allow cross-domain referrer148 ISS OrangeWeb Filter conﬁgurationCategorize each page regardless of Http rules Enable ISS OrangeWeb FilterServer ISS OrangeWeb Filter DeploymentISS OrangeWeb Filter rule 150151 Web content ﬁltering by word occurrence152 Deﬁnition of rules ﬁltering by word occurrence153 Word groups154 Deﬁnition of forbidden wordsFTP Policy WeightGroup KeywordFTP Rules Deﬁnition If user accessing the FTP server isFTP server is 15615 FTP Rule basic parameters 158 Content159 Conditions and limitations of antivirus scan Antivirus control160 161 Conditions and limitations of antivirus scanAntivirus control How to choose and setup antivirusesIntegrated McAfee 162Last update check performed ... ago Check for update every ... hoursUpdate now Current virus database isExternal antivirus Antivirus settings164 An example of a traﬃc rule for outgoing Smtp traﬃc check 165Http and FTP scanning 167 Http and FTP scanningCondition Http and FTP scanning rules168 169 Mime type170 Email scanning171 Email scanning172 Creating and Editing IP Address Groups IP Address Groups173 Deﬁnitions Time IntervalsName TypeAbsolute Time range typesWeekly DailyFrom, To Time Interval TypeValid at days 176Services Services177 Protocol inspector Protocol178 Protocol Inspectors Source Port and Destination Port179 180 URL Groups181 URL Groups182 Deﬁnitions GroupInternal user database User Accounts and GroupsImport of user accounts from Active Directory 183User Accounts and Groups Viewing and deﬁnitions of user accounts184 Local user accounts Accounts mapped from the Active Directory domain Local user accountsEdit User 186Creating a local user account Local user accountsBasic information Full NameAccount is disabled AuthenticationEmail Address Domain templateGroups NT domain / Kerberos189 190 Access rightsRead only access to administration No access to administrationFull access to administration User can override WWW content rulesTransfer quota Data transmission quota192 Quota exceed action Content rules193 194 User’s IP addresses195 Editing User AccountNT domain Active Directory196 197 Automatic import of user accounts from Active Directory198 Manual import of user accountsActive Directory domains mapping Active Directory domains mappingDomain mapping requirements 199Single domain mapping Domain AccessActive Directory mapping 20013 Active Directory domain mapping 201Multiple domains mapping NT authentication support202 16 Conversion of user accounts 203User groups Deﬁnitions User groups204 Creating a new local user group User groupsName and description of the group 205Read only access Group access rightsGroup members 206Users can connect using VPN Users can override WWW content rules207 Users are allowed to view statistics Users are allowed to use P2P networks208 Setting Remote Administration Remote Administration and Update ChecksHow to allow remote administration from the Internet 209Remote Administration and Update Checks Update Checking210 Check for new versions Update CheckingCheck also for beta versions Check now212 15.1 P2P Eliminator Advanced security featuresP2P Eliminator Conﬁguration 213214 Advanced security featuresParameters for detection of P2P networks 15.1 P2P Eliminator215 216 Special Security SettingsAnti-Spooﬁng Special Security SettingsConnections Count Limit 217Enable VPN using IPSec ProtocolEnable pass-through only for hosts IPSec preferencesWinRoute’s IPSec conﬁguration VPN using IPSec ProtocolIPSec client in local network 219Traﬃc rule for one IPSec client in the local network 220221 IPSec server in local networkRouting table Other settingsRoute Types Routing tableStatic routes 223Network, Network Mask Deﬁnitions of Dynamic and Static RulesGateway MetricDemand Dial Demand DialRemoving routes from the Routing Table How demand dial works226 227 Technical Peculiarities and Limitations228 Setting Rules for Demand Dial229 Dial of local DNS namesPort mapping timeout Enable UPnPUniversal Plug-and-Play UPnP Conﬁguration of the UPnP supportRelay Smtp server Relay Smtp serverLog packets Log connectionsSpecify sender email address in From header Smtp requires authenticationTest 232233 Active hosts and connected users Status Information234 Login duration Login timeHostname UserActive Hosts dialog options Detailed information on a selected host and user 238 Traﬃc informationConnections Activity Description239 240 Source, Destination241 Histogram242 Show connections related to the selected process243 Show connections related to the selected processKill connection Options of the Connections Dialog244 Font Color Color SettingsBackground Color 245Alerts Alerts Settings246 Alert Alerts247 248 Alert TemplatesAlerts overview in Administration Console \Program Files\Kerio\WinRoute Firewall\templates by default249 13 Details of a selected event 250Interface statistics Basic statistics251 Basic statistics Reset interface statisticsInterface Statistics menu 252Remove interface statistics Interface statisticsGraphical view of interface load 253254 User Statistics data volumes and quotasUser Statistics dialog options User Statistics data volumes and quotas255 Remove user statistics Reset user statisticsView host 256Monitoring and storage of statistic data Kerio StaR statistics and reporting257 Kerio StaR statistics and reporting Settings for statistics and quotaRequirements of the statistics 258Enable/disable gathering of statistic data Settings for statistics and quotaAdvanced settings for statistics 259260 Statistics and quota restrictionsRemote access to the statistics Accessing the statistics from the WinRoute hostConnection to StaR and viewing statistics Statistics and quota accounting periods262 StaR page in the web interface263 Accounting periodCustom accounting period 264Overall View Overall View265 Top 5 users Top Requested Web Categories266 267 Used Protocol268 User statistics User statistics269 13 The Users by Traﬃc table Users by TraﬃcTop Visited Websites Top Visited Websites272 Top Requested Web Categories16 Top visited websites sorted by categories 273274 Logs Log settingsFilename.log 275276 File LoggingSyslog Logging Log settings277 Logs Context Menu Find Logs Context MenuHighlighting Select fontLog debug Logs EncodingClear log Log highlightingLog highlighting settings 282 Debug log advanced settingsAlert Log Alert LogLogs 20.4 Conﬁg Log284 Connection Log Connection Log285 Dial Log Debug Log286 Page 288 15/Mar/2004 155912 Line Connection disconnectedError Log Error Log289 Filter Log ’McAfee update’ rule name290 Http log Http log291 292 1058444114.733 0 192.168.64.64 TCPMISS/304Security Log Security Log293 294 Authentication service Client IP address reasonSslvpn Log Sslvpn Log17/Dec/2004 121133 Engine Startup 17/Dec/2004 122243 Engine Shutdown24/Apr/2003 102951 192.168.44.128 james Web LogWeb Log 297 298 Kerio VPN299 VPN Server ConﬁgurationKerio VPN Enable VPN serverGeneral IP address assignment301 SSL certiﬁcateListen on port Advanced302 303 Custom RoutesBasic conﬁguration of traﬃc rules for VPN clients 21.2 Conﬁguration of VPN clients304 Deﬁnition of a tunnel to a remote server Setting up VPN serversName of the tunnel 305306 Conﬁguration307 Conﬁguration of a remote end of the tunnelRouting settings DNS Settings308 309 Connection establishment310 Traﬃc Policy Settings for VPNExchange of routing information Exchange of routing informationRouting conﬁguration options 311Routes provided automatically Update of routing tables312 Speciﬁcation Example of Kerio VPN conﬁguration company with a ﬁlial oﬃce313 314 Common method315 316 Headquarters conﬁguration317 14 Headquarter creating default traﬃc rules for Kerio VPN16 Headquarter DNS forwarder conﬁguration 318319 19 Headquarters VPN server conﬁguration 320321 LAN322 Conﬁguration of a ﬁlial oﬃce323 24 Filial oﬃce default traﬃc rules for Kerio VPN25 Filial oﬃce DNS forwarder conﬁguration 324325 28 Filial oﬃce VPN server conﬁguration 32629 Filial oﬃce deﬁnition of VPN tunnel for the headquarters 327VPN test Example of a more complex Kerio VPN conﬁguration328 329 Common method330 331 332 33 Headquarter creating default traﬃc rules for Kerio VPN35 Headquarter DNS forwarder conﬁguration 333Kerio VPN 38 Headquarters VPN server conﬁguration 33539 Headquarter deﬁnition of VPN tunnel for the London ﬁlial 336337 338 43 Headquarter ﬁnal traﬃc rules 339340 Conﬁguration of the London ﬁlial341 46 The London ﬁlial oﬃce default traﬃc rules for Kerio VPN342 48 The London ﬁlial oﬃce DNS forwarding settings343 344 345 54 The London ﬁlial oﬃce ﬁnal traﬃc rules 346347 Conﬁguration of the Paris ﬁlial57 The Paris ﬁlial oﬃce DNS forwarder conﬁguration 34859 The Paris ﬁlial oﬃce VPN server conﬁguration 349350 351 352 64 The Paris ﬁlial oﬃce ﬁnal traﬃc rules 353354 22.1 Conﬁguration of WinRoute’s SSL-VPN Kerio Clientless SSL-VPNSSL-VPN conﬁguration 355Kerio Clientless SSL-VPN Allowing access from the Internet356 Usage of the SSL-VPN interface Usage of the SSL-VPN interfaceHttps//server Https//server12345Handling ﬁles and folders Sidneywashington@usoffice.company.com358 Antivirus control \\server\folder\subfolderBookmarks 359Detection of incorrect conﬁguration of the default gateway Troubleshooting360 23.2 Conﬁguration Backup and Transfer License SslcertCache.CFS Dnscache.cfgStar Handling conﬁguration ﬁles Conﬁguration backup recovery363 List name=Interfaces General conditions Automatic user authentication using Ntlm365 366 WinRoute ConﬁgurationNtlm authentication process Automatic user authentication using NtlmWeb browsers Microsoft Internet ExplorerFirefox/Netscape/Mozilla/SeaMonkey conﬁguration Firefox/Netscape/Mozilla/SeaMonkey368 Partial Retirement of Protocol Inspector Partial Retirement of Protocol Inspector369 User accounts and groups in traﬃc rules How to enable certain users to access the Internet370 371 Enabling automatic authenticationExample of a client conﬁguration web browser FTP on WinRoute’s proxy server372 FTP on WinRoute’s proxy server Example of a client conﬁguration Total Commander373 374 12 Setting proxy server for FTP in Total CommanderBasic Information and System Requirements Network Load BalancingNetwork Conﬁguration 375376 Network Load BalancingNLB conﬁguration for Server1 24.3 Conﬁguration of the servers in the cluster377 Server 1 cluster parameters 378379 NLB conﬁguration for Server2Essential Information Technical supportDescription 380Tested in Beta version Error Log FilesInformational File License type and license numberUnited Kingdom ContactsCzech Republic Legal Presumption Libiconv Used open-source librariesOpenSSL 384Copyright 2005 Sam Stephenson PrototypeZlib 385Glossary of terms Default gatewayActiveX ClusterGreylisting Firewall387 IPSec Glossary of terms IP addressKerberos 388P2P network Network adapterPacket PortProxy server Glossary of termsRouting table Script391 Spooﬁng392 TCP/IP393 Index394 Index395 Ntlm396 VPN397 133