Manuals / Kerio Tech / Computer Equipment / Network Router

Kerio Tech Firewall6 manual Conﬁguration of a remote end of the tunnel, 307

Models: Firewall6

1 398

Download 398 pages 11.9 Kb

Page 307

21.3 Interconnection of two private networks via the Internet (VPN tunnel)

the tunnel).

•Passive — this end of the tunnel will only listen for an incoming connection from

the remote (active) side.

The passive mode is only useful when the local end of the tunnel has a ﬁxed IP address and when it is allowed to accept incoming connections.

At least one end of each VPN tunnel must be switched to the active mode (passive servers cannot initialize connection).

Conﬁguration of a remote end of the tunnel

When a VPN tunnel is being created, identity of the remote endpoint is authenti- cated through the ﬁngerprint of its SSL certiﬁcate. If the ﬁngerprint does not match with the ﬁngerprint speciﬁed in the conﬁguration of the tunnel, the connection will be rejected.

The ﬁngerprint of the local certiﬁcate and the entry for speciﬁcation of the remote ﬁngerprint are provided in the Settings for remote endpoint section. Specify the ﬁngerprint for the remote VPN server certiﬁcate and vice versa — specify the ﬁn- gerprint of the local server in the conﬁguration at the remote server.

Figure 21.8 VPN tunnel — certiﬁcate ﬁngerprints

If the local endpoint is set to the active mode, the certiﬁcate of the remote endpoint and its ﬁngerprint can be downloaded by clicking Detect remote certiﬁcate. Passive endpoint cannot detect remote certiﬁcate.

However, this method of ﬁngerprint setting is quite insecure —a counterfeit certiﬁ- cate might be used. If a ﬁngerprint of a false certiﬁcate is used for the conﬁguration of the VPN tunnel, it is possible to create a tunnel for the false endpoint (for the attacker). Moreover, a valid certiﬁcate would not be accepted from the other side. Therefore, for security reasons, it is recommended to set ﬁngerprints manually.

307

Image 307

Kerio Tech Firewall6 manual Conﬁguration of a remote end of the tunnel, 307

Contents

Kerio Technologies Administrator’s GuidePage Contents 113 Remote Administration and Update Checks 209 Kerio Clientless SSL-VPN 355 393 Quick Checklist Page Introduction Basic FeaturesKerio WinRoute Firewall Kerio WinRoute Firewall Additional FeaturesUser quotas Antivirus controlTransparent support for Active Directory Email alertsPort collision Conﬂicting softwareClientless SSL-VPN Collision of low-level driversAntivirus applications System requirements InstallationInstallation Steps to be taken before the installationInstallation and Basic Conﬁguration Guide Custom installation selecting optional components Protection of the installed product Conﬂicting Applications and System Services WinRoute Firewall Engine WinRoute ComponentsWinRoute Engine Monitor WinRoute Engine Monitor Kerio Administration ConsoleWinRoute Engine Monitor Upgrade and Uninstallation Uninstallation Upgrade and UninstallationTypically the path C\Program Files\Kerio\WinRoute Firewall Conﬁguration Wizard Upgrade from WinRoute ProUpdate Checker Setting of administration username and passwordEnable remote access Remote AccessRemote IP address Initial conﬁguration Allowing remote administration Administration Window WinRoute AdministrationHelp menu WinRoute AdministrationAdministration Window Main menu FileStatus bar Administration WindowDetection of WinRoute Firewall Engine connection drop-out Column customization in Interfaces View SettingsView Settings License types and number of users Product Registration and LicensingLicense types optional components Deciding on a number of users licenses License types and number of usersHomepage License informationProduct CopyrightNumber of users License IDSubscription expiration date Product expiration dateRegistration of the trial version Registration of the product in the Administration ConsoleTrial version registration security code Registration of the product in the Administration ConsoleTrial version registration other information Trial version registration Trial ID Registration of the purchased productProduct Registration and Licensing Registration of the product in the Administration Console 10 Product registration user information 12 Product registration summary Update of registration informationProduct registration at the website Subscription / Update ExpirationBubble alerts Subscription / Update Expiration15 The notice that the subscription has already expired User counterStart WinRoute User counterLicense counter License release IP Address and Mask Settings for Interfaces and Network ServicesNetwork interfaces InterfaceModify Dial or Hang Up /Enebale, DisableAdapter info AddVPN server RefreshSpecial interfaces Dial-InInterface type selection Bind this interfaceRAS Entry Use login data from the RAS entryUse the following login data Interface nameDial-up demand dial ConnectionAdvanced Hangup if idleEdit Interface parameters Connection FailoverCurrent connection Connection Failover SetupEnable automatic connection failover Connection FailoverConﬁguration of primary and secondary Internet connection Secondary connection Primary connectionDial-up Use DNS Forwarder conﬁguration DNS ForwarderDNS Forwarder Enable DNS forwardingDNS forwarding Use custom forwarding Enable cache for faster response of repeated queriesEnable DNS forwarding Clear cache10 Speciﬁc settings of DNS forwarding 11 DNS forwarding a new rule Simple DNS resolutionCombine the name ... with DNS domain Before forwarding a queryDhcp server Dhcp Server Conﬁguration Dhcp serverDeﬁnition of Scopes and Reservations Domain Lease timeDNS server Wins server15 Dhcp server IP scopes deﬁnition DescriptionSubnet mask First address, Last addressExclusions Parameters 00bca5f21e50 Lease ReservationsLeases Bc-a5-f2-1e-5020 Dhcp server list of leased and reserved IP addresses Windows RAS Dhcp server advanced optionsDeclined options Proxy serverProxy server Enable non-transparent proxy serverProxy Server Conﬁguration 22 Http proxy server settings Enable connection to any TCP portHttp//192.168.1.13128/pac/proxy.pac Forward to parent proxy serverHttp protocol TTL Enable cache on transparent proxyEnable cache on proxy server Http cacheCache size Http cacheMax Http object size Memory cache sizeCache Options URL URL Speciﬁc SettingsTTL Cache status and administration26 Http cache administration dialog Network Rules Wizard Traﬃc PolicyInformation Network Rules WizardSelection of Internet connection type Network Policy Wizard selection of a connected adapter Network adapter or dial-up selectionAllow access to all services Internet access limitationsEnabling Kerio VPN traﬃc Allow access to the following services onlyService Service is running onGenerating the rules NATIcmp traﬃc Rules Created by the WizardLocal Traﬃc Firewall Traﬃc Deﬁnition of Custom Traﬃc Rules How traﬃc rules workName 12 Traﬃc rule name, color and rule description Source, DestinationIP range e.g Deﬁnition of Custom Traﬃc Rules 100 Service101 Action102 Log103 Translation20 Traﬃc rule destination address translation 104Protocol inspector Valid on105 Destination Basic Traﬃc Rule TypesIP Translation NAT Source107 TranslationPlacing the rule Port mapping108 Multihoming Limiting Internet Access109 110 111 Exclusions112 Speed limits for users with their quota exceeded How the bandwidth limiter works and how to use itSpeed limits for big data volumes transmissions Bandwidth Limiter114 Setting limit valuesBandwidth Limiter conﬁguration Bandwidth LimiterAdvanced Options Services115 116 IP Addresses and Time Interval117 Bandwidth Limiter selection of network services118 Detection of connections with large data volume transferredExamples Detection of connections with large data volume transferred119 120 Firewall User Authentication User Authentication121 User authentication advanced options User Authentication122 Automatic authentication Ntlm Firewall User AuthenticationRedirection to the authentication Enable non-transparent proxy server authentication124 Automatically logout users when they are inactiveWeb Interface Parameters Conﬁguration Enable Kerio SSL-VPN serverEnable Web Interface Http Web InterfaceWinRoute server name Enable secured Web Interface HttpsAllow access only from these IP addresses Web Interface127 Conﬁguration of ports of the Web InterfaceGenerate or Import Certiﬁcate SSL Certiﬁcate for the Web Interface128 SSL certiﬁcate of WinRoute’s Web interface 129130 Login/logoutWeb Interface Language Preferences Users loggedDrdolittle@usoffice.company.com Login/logout131 Log out User password authentication132 Status information and user statistics Status information and user statistics133 134 User preferencesUser preferences Save settings135 136 10 Editing user passwordFTP protocol Http protocol137 URL Rules Conditions for Http and FTP ﬁltering138 139 URL Rules140 URL Rules DeﬁnitionURL matches criteria If user accessing the URL is141 142 Allow access to the Web siteDenial options Valid at time intervalValid for IP address group Valid if Mime type is144 WWW content scanning optionsScan content for viruses according to scanning rules Deny Web pages containing145 Http Inspection Advanced Options146 Global rules for Web elementsAllow Html ActiveX objects Allow Script Html tagsAllow cross-domain referrer Content Rating System ISS OrangeWeb FilterAllow Html JavaScript pop-up windows Allow applet Html tags148 ISS OrangeWeb Filter conﬁgurationISS OrangeWeb Filter Deployment Enable ISS OrangeWeb FilterCategorize each page regardless of Http rules ServerISS OrangeWeb Filter rule 150151 Web content ﬁltering by word occurrence152 Deﬁnition of rules ﬁltering by word occurrence153 Word groups154 Deﬁnition of forbidden wordsKeyword WeightFTP Policy Group156 If user accessing the FTP server isFTP Rules Deﬁnition FTP server is15 FTP Rule basic parameters 158 Content159 Conditions and limitations of antivirus scan Antivirus control160 161 Conditions and limitations of antivirus scan162 How to choose and setup antivirusesAntivirus control Integrated McAfeeCurrent virus database is Check for update every ... hoursLast update check performed ... ago Update nowExternal antivirus Antivirus settings164 An example of a traﬃc rule for outgoing Smtp traﬃc check 165Http and FTP scanning 167 Http and FTP scanningCondition Http and FTP scanning rules168 169 Mime type170 Email scanning171 Email scanning172 Creating and Editing IP Address Groups IP Address Groups173 Type Time IntervalsDeﬁnitions NameDaily Time range typesAbsolute Weekly176 Time Interval TypeFrom, To Valid at daysServices Services177 Protocol inspector Protocol178 Protocol Inspectors Source Port and Destination Port179 180 URL Groups181 URL Groups182 Deﬁnitions Group183 User Accounts and GroupsInternal user database Import of user accounts from Active DirectoryUser Accounts and Groups Viewing and deﬁnitions of user accounts184 Local user accounts 186 Local user accountsAccounts mapped from the Active Directory domain Edit UserFull Name Local user accountsCreating a local user account Basic informationDomain template AuthenticationAccount is disabled Email AddressGroups NT domain / Kerberos189 190 Access rightsUser can override WWW content rules No access to administrationRead only access to administration Full access to administrationTransfer quota Data transmission quota192 Quota exceed action Content rules193 194 User’s IP addresses195 Editing User AccountNT domain Active Directory196 197 Automatic import of user accounts from Active Directory198 Manual import of user accounts199 Active Directory domains mappingActive Directory domains mapping Domain mapping requirements200 Domain AccessSingle domain mapping Active Directory mapping13 Active Directory domain mapping 201Multiple domains mapping NT authentication support202 16 Conversion of user accounts 203User groups Deﬁnitions User groups204 205 User groupsCreating a new local user group Name and description of the group206 Group access rightsRead only access Group membersUsers can connect using VPN Users can override WWW content rules207 Users are allowed to view statistics Users are allowed to use P2P networks208 209 Remote Administration and Update ChecksSetting Remote Administration How to allow remote administration from the InternetRemote Administration and Update Checks Update Checking210 Check now Update CheckingCheck for new versions Check also for beta versions212 213 Advanced security features15.1 P2P Eliminator P2P Eliminator Conﬁguration214 Advanced security featuresParameters for detection of P2P networks 15.1 P2P Eliminator215 216 Special Security Settings217 Special Security SettingsAnti-Spooﬁng Connections Count LimitIPSec preferences VPN using IPSec ProtocolEnable Enable pass-through only for hosts219 VPN using IPSec ProtocolWinRoute’s IPSec conﬁguration IPSec client in local networkTraﬃc rule for one IPSec client in the local network 220221 IPSec server in local networkRouting table Other settings223 Routing tableRoute Types Static routesMetric Deﬁnitions of Dynamic and Static RulesNetwork, Network Mask GatewayHow demand dial works Demand DialDemand Dial Removing routes from the Routing Table226 227 Technical Peculiarities and Limitations228 Setting Rules for Demand Dial229 Dial of local DNS namesConﬁguration of the UPnP support Enable UPnPPort mapping timeout Universal Plug-and-Play UPnPLog connections Relay Smtp serverRelay Smtp server Log packets232 Smtp requires authenticationSpecify sender email address in From header Test233 Active hosts and connected users Status Information234 User Login timeLogin duration HostnameActive Hosts dialog options Detailed information on a selected host and user 238 Traﬃc informationConnections Activity Description239 240 Source, Destination241 Histogram242 Show connections related to the selected process243 Show connections related to the selected processKill connection Options of the Connections Dialog244 245 Color SettingsFont Color Background ColorAlerts Alerts Settings246 Alert Alerts247 248 Alert TemplatesAlerts overview in Administration Console \Program Files\Kerio\WinRoute Firewall\templates by default249 13 Details of a selected event 250Interface statistics Basic statistics251 252 Reset interface statisticsBasic statistics Interface Statistics menu253 Interface statisticsRemove interface statistics Graphical view of interface load254 User Statistics data volumes and quotasUser Statistics dialog options User Statistics data volumes and quotas255 256 Reset user statisticsRemove user statistics View hostMonitoring and storage of statistic data Kerio StaR statistics and reporting257 258 Settings for statistics and quotaKerio StaR statistics and reporting Requirements of the statistics259 Settings for statistics and quotaEnable/disable gathering of statistic data Advanced settings for statistics260 Statistics and quota restrictionsStatistics and quota accounting periods Accessing the statistics from the WinRoute hostRemote access to the statistics Connection to StaR and viewing statistics262 StaR page in the web interface263 Accounting periodCustom accounting period 264Overall View Overall View265 Top 5 users Top Requested Web Categories266 267 Used Protocol268 User statistics User statistics269 13 The Users by Traﬃc table Users by TraﬃcTop Visited Websites Top Visited Websites272 Top Requested Web Categories16 Top visited websites sorted by categories 273274 275 Log settingsLogs Filename.log276 File LoggingSyslog Logging Log settings277 Logs Context Menu Select font Logs Context MenuFind HighlightingLog highlighting Logs EncodingLog debug Clear logLog highlighting settings 282 Debug log advanced settingsAlert Log Alert LogLogs 20.4 Conﬁg Log284 Connection Log Connection Log285 Dial Log Debug Log286 Page 288 15/Mar/2004 155912 Line Connection disconnectedError Log Error Log289 Filter Log ’McAfee update’ rule name290 Http log Http log291 292 1058444114.733 0 192.168.64.64 TCPMISS/304Security Log Security Log293 294 Authentication service Client IP address reason17/Dec/2004 122243 Engine Shutdown Sslvpn LogSslvpn Log 17/Dec/2004 121133 Engine Startup24/Apr/2003 102951 192.168.44.128 james Web LogWeb Log 297 298 Kerio VPN299 VPN Server ConﬁgurationIP address assignment Enable VPN serverKerio VPN General301 SSL certiﬁcateListen on port Advanced302 303 Custom RoutesBasic conﬁguration of traﬃc rules for VPN clients 21.2 Conﬁguration of VPN clients304 305 Setting up VPN serversDeﬁnition of a tunnel to a remote server Name of the tunnel306 Conﬁguration307 Conﬁguration of a remote end of the tunnelRouting settings DNS Settings308 309 Connection establishment310 Traﬃc Policy Settings for VPN311 Exchange of routing informationExchange of routing information Routing conﬁguration optionsRoutes provided automatically Update of routing tables312 Speciﬁcation Example of Kerio VPN conﬁguration company with a ﬁlial oﬃce313 314 Common method315 316 Headquarters conﬁguration317 14 Headquarter creating default traﬃc rules for Kerio VPN16 Headquarter DNS forwarder conﬁguration 318319 19 Headquarters VPN server conﬁguration 320321 LAN322 Conﬁguration of a ﬁlial oﬃce323 24 Filial oﬃce default traﬃc rules for Kerio VPN25 Filial oﬃce DNS forwarder conﬁguration 324325 28 Filial oﬃce VPN server conﬁguration 32629 Filial oﬃce deﬁnition of VPN tunnel for the headquarters 327VPN test Example of a more complex Kerio VPN conﬁguration328 329 Common method330 331 332 33 Headquarter creating default traﬃc rules for Kerio VPN35 Headquarter DNS forwarder conﬁguration 333Kerio VPN 38 Headquarters VPN server conﬁguration 33539 Headquarter deﬁnition of VPN tunnel for the London ﬁlial 336337 338 43 Headquarter ﬁnal traﬃc rules 339340 Conﬁguration of the London ﬁlial341 46 The London ﬁlial oﬃce default traﬃc rules for Kerio VPN342 48 The London ﬁlial oﬃce DNS forwarding settings343 344 345 54 The London ﬁlial oﬃce ﬁnal traﬃc rules 346347 Conﬁguration of the Paris ﬁlial57 The Paris ﬁlial oﬃce DNS forwarder conﬁguration 34859 The Paris ﬁlial oﬃce VPN server conﬁguration 349350 351 352 64 The Paris ﬁlial oﬃce ﬁnal traﬃc rules 353354 355 Kerio Clientless SSL-VPN22.1 Conﬁguration of WinRoute’s SSL-VPN SSL-VPN conﬁgurationKerio Clientless SSL-VPN Allowing access from the Internet356 Https//server12345 Usage of the SSL-VPN interfaceUsage of the SSL-VPN interface Https//serverHandling ﬁles and folders Sidneywashington@usoffice.company.com358 359 \\server\folder\subfolderAntivirus control BookmarksDetection of incorrect conﬁguration of the default gateway Troubleshooting360 23.2 Conﬁguration Backup and Transfer Dnscache.cfg SslcertLicense Cache.CFSStar Handling conﬁguration ﬁles Conﬁguration backup recovery363 List name=Interfaces General conditions Automatic user authentication using Ntlm365 366 WinRoute ConﬁgurationMicrosoft Internet Explorer Automatic user authentication using NtlmNtlm authentication process Web browsersFirefox/Netscape/Mozilla/SeaMonkey conﬁguration Firefox/Netscape/Mozilla/SeaMonkey368 Partial Retirement of Protocol Inspector Partial Retirement of Protocol Inspector369 User accounts and groups in traﬃc rules How to enable certain users to access the Internet370 371 Enabling automatic authenticationExample of a client conﬁguration web browser FTP on WinRoute’s proxy server372 FTP on WinRoute’s proxy server Example of a client conﬁguration Total Commander373 374 12 Setting proxy server for FTP in Total Commander375 Network Load BalancingBasic Information and System Requirements Network Conﬁguration376 Network Load BalancingNLB conﬁguration for Server1 24.3 Conﬁguration of the servers in the cluster377 Server 1 cluster parameters 378379 NLB conﬁguration for Server2380 Technical supportEssential Information DescriptionLicense type and license number Error Log FilesTested in Beta version Informational FileUnited Kingdom ContactsCzech Republic Legal Presumption 384 Used open-source librariesLibiconv OpenSSL385 PrototypeCopyright 2005 Sam Stephenson ZlibCluster Default gatewayGlossary of terms ActiveXGreylisting Firewall387 388 Glossary of terms IP addressIPSec KerberosPort Network adapterP2P network PacketScript Glossary of termsProxy server Routing table391 Spooﬁng392 TCP/IP393 Index394 Index395 Ntlm396 VPN397 133