Manuals / Kerio Tech / Computer Equipment / Network Router

Kerio Tech Firewall6 manual Traﬃc Policy Settings for VPN, 310

Models: Firewall6

1 398

Download 398 pages 11.9 Kb

Page 310

Chapter 21 Kerio VPN

VPN tunnels can be disabled by the Disable button. Both endpoints should be disabled while the tunnel is being disabled.

Note: VPN tunnels keeps their connection (by sending special packets in regular time in- tervals) even if no data is transmitted. This feature protects tunnels from disconnection by other ﬁrewalls or network devices between ends of tunnels.

Traﬃc Policy Settings for VPN

Once the VPN tunnel is created, it is necessary to allow traﬃc between the LAN and the network connected by the tunnel and to allow outgoing connection for the Kerio VPN service (from the ﬁrewall to the Internet). If basic traﬃc rules are already created by the wizard (refer to chapter 21.2), simply add a corresponding VPN tunnel into the Local Traﬃc rule and the Kerio VPN service to the Firewall traﬃc. The resulting traﬃc rules are shown at ﬁgure 21.10.

Figure 21.10 Traﬃc Policy Settings for VPN

Notes:

1.To keep examples in this guide as simple as possible, it is supposed that the Firewall traﬃc rule allows to access any service at the ﬁrewall (see ﬁgure 21.11). Under these conditions, it is not necessary to add the Kerio VPN service to the rule.

2.Traﬃc rules set by this method allow full IP communication between the local net- work, remote network and all VPN clients. For access restrictions, deﬁne corre- sponding traﬃc rules (for local traﬃc, VPN clients, VPN tunnel, etc.). Examples of traﬃc rules are provided in chapter 21.5.

310

Image 310

Kerio Tech Firewall6 manual Traﬃc Policy Settings for VPN, 310

Contents

Administrator’s Guide Kerio TechnologiesPage Contents 113 Remote Administration and Update Checks 209 Kerio Clientless SSL-VPN 355 393 Quick Checklist Page Introduction Basic FeaturesKerio WinRoute Firewall Additional Features Kerio WinRoute FirewallEmail alerts Antivirus controlTransparent support for Active Directory User quotasCollision of low-level drivers Conﬂicting softwareClientless SSL-VPN Port collisionAntivirus applications Steps to be taken before the installation InstallationInstallation System requirementsInstallation and Basic Conﬁguration Guide Custom installation selecting optional components Protection of the installed product Conﬂicting Applications and System Services WinRoute Firewall Engine WinRoute ComponentsWinRoute Engine Monitor WinRoute Engine Monitor Kerio Administration ConsoleWinRoute Engine Monitor Upgrade and Uninstallation Uninstallation Upgrade and UninstallationTypically the path C\Program Files\Kerio\WinRoute Firewall Setting of administration username and password Upgrade from WinRoute ProUpdate Checker Conﬁguration WizardEnable remote access Remote AccessRemote IP address Initial conﬁguration Allowing remote administration WinRoute Administration Administration WindowFile WinRoute AdministrationAdministration Window Main menu Help menuStatus bar Administration WindowDetection of WinRoute Firewall Engine connection drop-out View Settings Column customization in InterfacesView Settings License types and number of users Product Registration and LicensingLicense types optional components License types and number of users Deciding on a number of users licensesCopyright License informationProduct HomepageProduct expiration date License IDSubscription expiration date Number of usersRegistration of the product in the Administration Console Registration of the trial versionRegistration of the product in the Administration Console Trial version registration security codeTrial version registration other information Registration of the purchased product Trial version registration Trial IDProduct Registration and Licensing Registration of the product in the Administration Console 10 Product registration user information Update of registration information 12 Product registration summarySubscription / Update Expiration Product registration at the websiteSubscription / Update Expiration Bubble alertsUser counter 15 The notice that the subscription has already expiredStart WinRoute User counterLicense counter License release Interface Settings for Interfaces and Network ServicesNetwork interfaces IP Address and MaskAdd Dial or Hang Up /Enebale, DisableAdapter info ModifyDial-In RefreshSpecial interfaces VPN serverBind this interface Interface type selectionInterface name Use login data from the RAS entryUse the following login data RAS EntryConnection Dial-up demand dialHangup if idle AdvancedConnection Failover Edit Interface parametersConnection Failover Connection Failover SetupEnable automatic connection failover Current connectionConﬁguration of primary and secondary Internet connection Secondary connection Primary connectionDial-up Use DNS Forwarder DNS Forwarder conﬁgurationDNS Forwarder Enable DNS forwardingDNS forwarding Clear cache Enable cache for faster response of repeated queriesEnable DNS forwarding Use custom forwarding10 Speciﬁc settings of DNS forwarding Simple DNS resolution 11 DNS forwarding a new ruleBefore forwarding a query Combine the name ... with DNS domainDhcp server Dhcp Server Conﬁguration Dhcp serverDeﬁnition of Scopes and Reservations Wins server Lease timeDNS server DomainDescription 15 Dhcp server IP scopes deﬁnitionSubnet mask First address, Last addressExclusions Parameters Lease Reservations 00bca5f21e50Bc-a5-f2-1e-50 Leases20 Dhcp server list of leased and reserved IP addresses Dhcp server advanced options Windows RASProxy server Declined optionsProxy server Enable non-transparent proxy serverProxy Server Conﬁguration Enable connection to any TCP port 22 Http proxy server settingsForward to parent proxy server Http//192.168.1.13128/pac/proxy.pacHttp cache Enable cache on transparent proxyEnable cache on proxy server Http protocol TTLHttp cache Cache sizeMax Http object size Memory cache sizeCache Options URL Speciﬁc Settings URLCache status and administration TTL26 Http cache administration dialog Traﬃc Policy Network Rules WizardInformation Network Rules WizardSelection of Internet connection type Network adapter or dial-up selection Network Policy Wizard selection of a connected adapterInternet access limitations Allow access to all servicesAllow access to the following services only Enabling Kerio VPN traﬃcService is running on ServiceNAT Generating the rulesRules Created by the Wizard Icmp traﬃcLocal Traﬃc Firewall Traﬃc Deﬁnition of Custom Traﬃc Rules How traﬃc rules workName Source, Destination 12 Traﬃc rule name, color and rule descriptionIP range e.g Deﬁnition of Custom Traﬃc Rules Service 100Action 101Log 102Translation 103104 20 Traﬃc rule destination address translationProtocol inspector Valid on105 Source Basic Traﬃc Rule TypesIP Translation NAT DestinationPort mapping TranslationPlacing the rule 107108 Multihoming Limiting Internet Access109 110 Exclusions 111112 Bandwidth Limiter How the bandwidth limiter works and how to use itSpeed limits for big data volumes transmissions Speed limits for users with their quota exceededBandwidth Limiter Setting limit valuesBandwidth Limiter conﬁguration 114Advanced Options Services115 IP Addresses and Time Interval 116Bandwidth Limiter selection of network services 117Detection of connections with large data volume transferred 118Examples Detection of connections with large data volume transferred119 120 Firewall User Authentication User Authentication121 User authentication advanced options User Authentication122 Enable non-transparent proxy server authentication Firewall User AuthenticationRedirection to the authentication Automatic authentication NtlmAutomatically logout users when they are inactive 124Web Interface Enable Kerio SSL-VPN serverEnable Web Interface Http Web Interface Parameters ConﬁgurationWeb Interface Enable secured Web Interface HttpsAllow access only from these IP addresses WinRoute server nameConﬁguration of ports of the Web Interface 127Generate or Import Certiﬁcate SSL Certiﬁcate for the Web Interface128 129 SSL certiﬁcate of WinRoute’s Web interfaceUsers logged Login/logoutWeb Interface Language Preferences 130Drdolittle@usoffice.company.com Login/logout131 Log out User password authentication132 Status information and user statistics Status information and user statistics133 User preferences 134User preferences Save settings135 10 Editing user password 136FTP protocol Http protocol137 URL Rules Conditions for Http and FTP ﬁltering138 URL Rules 139URL Rules Deﬁnition 140URL matches criteria If user accessing the URL is141 Allow access to the Web site 142Valid if Mime type is Valid at time intervalValid for IP address group Denial optionsDeny Web pages containing WWW content scanning optionsScan content for viruses according to scanning rules 144Http Inspection Advanced Options 145Allow Script Html tags Global rules for Web elementsAllow Html ActiveX objects 146Allow applet Html tags Content Rating System ISS OrangeWeb FilterAllow Html JavaScript pop-up windows Allow cross-domain referrerISS OrangeWeb Filter conﬁguration 148Server Enable ISS OrangeWeb FilterCategorize each page regardless of Http rules ISS OrangeWeb Filter Deployment150 ISS OrangeWeb Filter ruleWeb content ﬁltering by word occurrence 151Deﬁnition of rules ﬁltering by word occurrence 152Word groups 153Deﬁnition of forbidden words 154Group WeightFTP Policy KeywordFTP server is If user accessing the FTP server isFTP Rules Deﬁnition 15615 FTP Rule basic parameters Content 158159 Conditions and limitations of antivirus scan Antivirus control160 Conditions and limitations of antivirus scan 161Integrated McAfee How to choose and setup antivirusesAntivirus control 162Update now Check for update every ... hoursLast update check performed ... ago Current virus database isExternal antivirus Antivirus settings164 165 An example of a traﬃc rule for outgoing Smtp traﬃc checkHttp and FTP scanning Http and FTP scanning 167Condition Http and FTP scanning rules168 Mime type 169Email scanning 170Email scanning 171172 Creating and Editing IP Address Groups IP Address Groups173 Name Time IntervalsDeﬁnitions TypeWeekly Time range typesAbsolute DailyValid at days Time Interval TypeFrom, To 176Services Services177 Protocol inspector Protocol178 Protocol Inspectors Source Port and Destination Port179 URL Groups 180URL Groups 181Deﬁnitions Group 182Import of user accounts from Active Directory User Accounts and GroupsInternal user database 183User Accounts and Groups Viewing and deﬁnitions of user accounts184 Local user accounts Edit User Local user accountsAccounts mapped from the Active Directory domain 186Basic information Local user accountsCreating a local user account Full NameEmail Address AuthenticationAccount is disabled Domain templateGroups NT domain / Kerberos189 Access rights 190Full access to administration No access to administrationRead only access to administration User can override WWW content rulesTransfer quota Data transmission quota192 Quota exceed action Content rules193 User’s IP addresses 194Editing User Account 195NT domain Active Directory196 Automatic import of user accounts from Active Directory 197Manual import of user accounts 198Domain mapping requirements Active Directory domains mappingActive Directory domains mapping 199Active Directory mapping Domain AccessSingle domain mapping 200201 13 Active Directory domain mappingMultiple domains mapping NT authentication support202 203 16 Conversion of user accountsUser groups Deﬁnitions User groups204 Name and description of the group User groupsCreating a new local user group 205Group members Group access rightsRead only access 206Users can connect using VPN Users can override WWW content rules207 Users are allowed to view statistics Users are allowed to use P2P networks208 How to allow remote administration from the Internet Remote Administration and Update ChecksSetting Remote Administration 209Remote Administration and Update Checks Update Checking210 Check also for beta versions Update CheckingCheck for new versions Check now212 P2P Eliminator Conﬁguration Advanced security features15.1 P2P Eliminator 213Advanced security features 214Parameters for detection of P2P networks 15.1 P2P Eliminator215 Special Security Settings 216Connections Count Limit Special Security SettingsAnti-Spooﬁng 217Enable pass-through only for hosts VPN using IPSec ProtocolEnable IPSec preferencesIPSec client in local network VPN using IPSec ProtocolWinRoute’s IPSec conﬁguration 219220 Traﬃc rule for one IPSec client in the local networkIPSec server in local network 221Other settings Routing tableStatic routes Routing tableRoute Types 223Gateway Deﬁnitions of Dynamic and Static RulesNetwork, Network Mask MetricRemoving routes from the Routing Table Demand DialDemand Dial How demand dial works226 Technical Peculiarities and Limitations 227Setting Rules for Demand Dial 228Dial of local DNS names 229Universal Plug-and-Play UPnP Enable UPnPPort mapping timeout Conﬁguration of the UPnP supportLog packets Relay Smtp serverRelay Smtp server Log connectionsTest Smtp requires authenticationSpecify sender email address in From header 232233 Active hosts and connected users Status Information234 Hostname Login timeLogin duration UserActive Hosts dialog options Detailed information on a selected host and user Traﬃc information 238Connections Activity Description239 Source, Destination 240Histogram 241Show connections related to the selected process 242Show connections related to the selected process 243Kill connection Options of the Connections Dialog244 Background Color Color SettingsFont Color 245Alerts Alerts Settings246 Alert Alerts247 Alert Templates 248Alerts overview in Administration Console \Program Files\Kerio\WinRoute Firewall\templates by default249 250 13 Details of a selected eventInterface statistics Basic statistics251 Interface Statistics menu Reset interface statisticsBasic statistics 252Graphical view of interface load Interface statisticsRemove interface statistics 253User Statistics data volumes and quotas 254User Statistics dialog options User Statistics data volumes and quotas255 View host Reset user statisticsRemove user statistics 256Monitoring and storage of statistic data Kerio StaR statistics and reporting257 Requirements of the statistics Settings for statistics and quotaKerio StaR statistics and reporting 258Advanced settings for statistics Settings for statistics and quotaEnable/disable gathering of statistic data 259Statistics and quota restrictions 260Connection to StaR and viewing statistics Accessing the statistics from the WinRoute hostRemote access to the statistics Statistics and quota accounting periodsStaR page in the web interface 262Accounting period 263264 Custom accounting periodOverall View Overall View265 Top 5 users Top Requested Web Categories266 Used Protocol 267268 User statistics User statistics269 Users by Traﬃc 13 The Users by Traﬃc tableTop Visited Websites Top Visited WebsitesTop Requested Web Categories 272273 16 Top visited websites sorted by categories274 Filename.log Log settingsLogs 275File Logging 276Syslog Logging Log settings277 Logs Context Menu Highlighting Logs Context MenuFind Select fontClear log Logs EncodingLog debug Log highlightingLog highlighting settings Debug log advanced settings 282Alert Log Alert LogLogs 20.4 Conﬁg Log284 Connection Log Connection Log285 Dial Log Debug Log286 Page 15/Mar/2004 155912 Line Connection disconnected 288Error Log Error Log289 Filter Log ’McAfee update’ rule name290 Http log Http log291 1058444114.733 0 192.168.64.64 TCPMISS/304 292Security Log Security Log293 Authentication service Client IP address reason 29417/Dec/2004 121133 Engine Startup Sslvpn LogSslvpn Log 17/Dec/2004 122243 Engine ShutdownWeb Log 24/Apr/2003 102951 192.168.44.128 jamesWeb Log 297 Kerio VPN 298VPN Server Conﬁguration 299General Enable VPN serverKerio VPN IP address assignmentSSL certiﬁcate 301Listen on port Advanced302 Custom Routes 303Basic conﬁguration of traﬃc rules for VPN clients 21.2 Conﬁguration of VPN clients304 Name of the tunnel Setting up VPN serversDeﬁnition of a tunnel to a remote server 305Conﬁguration 306Conﬁguration of a remote end of the tunnel 307Routing settings DNS Settings308 Connection establishment 309Traﬃc Policy Settings for VPN 310Routing conﬁguration options Exchange of routing informationExchange of routing information 311Routes provided automatically Update of routing tables312 Speciﬁcation Example of Kerio VPN conﬁguration company with a ﬁlial oﬃce313 Common method 314315 Headquarters conﬁguration 31614 Headquarter creating default traﬃc rules for Kerio VPN 317318 16 Headquarter DNS forwarder conﬁguration319 320 19 Headquarters VPN server conﬁgurationLAN 321Conﬁguration of a ﬁlial oﬃce 32224 Filial oﬃce default traﬃc rules for Kerio VPN 323324 25 Filial oﬃce DNS forwarder conﬁguration325 326 28 Filial oﬃce VPN server conﬁguration327 29 Filial oﬃce deﬁnition of VPN tunnel for the headquartersVPN test Example of a more complex Kerio VPN conﬁguration328 Common method 329330 331 33 Headquarter creating default traﬃc rules for Kerio VPN 332333 35 Headquarter DNS forwarder conﬁgurationKerio VPN 335 38 Headquarters VPN server conﬁguration336 39 Headquarter deﬁnition of VPN tunnel for the London ﬁlial337 338 339 43 Headquarter ﬁnal traﬃc rulesConﬁguration of the London ﬁlial 34046 The London ﬁlial oﬃce default traﬃc rules for Kerio VPN 34148 The London ﬁlial oﬃce DNS forwarding settings 342343 344 345 346 54 The London ﬁlial oﬃce ﬁnal traﬃc rulesConﬁguration of the Paris ﬁlial 347348 57 The Paris ﬁlial oﬃce DNS forwarder conﬁguration349 59 The Paris ﬁlial oﬃce VPN server conﬁguration350 351 352 353 64 The Paris ﬁlial oﬃce ﬁnal traﬃc rules354 SSL-VPN conﬁguration Kerio Clientless SSL-VPN22.1 Conﬁguration of WinRoute’s SSL-VPN 355Kerio Clientless SSL-VPN Allowing access from the Internet356 Https//server Usage of the SSL-VPN interfaceUsage of the SSL-VPN interface Https//server12345Handling ﬁles and folders Sidneywashington@usoffice.company.com358 Bookmarks \\server\folder\subfolderAntivirus control 359Detection of incorrect conﬁguration of the default gateway Troubleshooting360 23.2 Conﬁguration Backup and Transfer Cache.CFS SslcertLicense Dnscache.cfgStar Handling conﬁguration ﬁles Conﬁguration backup recovery363 List name=Interfaces General conditions Automatic user authentication using Ntlm365 WinRoute Conﬁguration 366Web browsers Automatic user authentication using NtlmNtlm authentication process Microsoft Internet ExplorerFirefox/Netscape/Mozilla/SeaMonkey conﬁguration Firefox/Netscape/Mozilla/SeaMonkey368 Partial Retirement of Protocol Inspector Partial Retirement of Protocol Inspector369 User accounts and groups in traﬃc rules How to enable certain users to access the Internet370 Enabling automatic authentication 371Example of a client conﬁguration web browser FTP on WinRoute’s proxy server372 FTP on WinRoute’s proxy server Example of a client conﬁguration Total Commander373 12 Setting proxy server for FTP in Total Commander 374Network Conﬁguration Network Load BalancingBasic Information and System Requirements 375Network Load Balancing 376NLB conﬁguration for Server1 24.3 Conﬁguration of the servers in the cluster377 378 Server 1 cluster parametersNLB conﬁguration for Server2 379Description Technical supportEssential Information 380Informational File Error Log FilesTested in Beta version License type and license numberUnited Kingdom ContactsCzech Republic Legal Presumption OpenSSL Used open-source librariesLibiconv 384Zlib PrototypeCopyright 2005 Sam Stephenson 385ActiveX Default gatewayGlossary of terms ClusterGreylisting Firewall387 Kerberos Glossary of terms IP addressIPSec 388Packet Network adapterP2P network PortRouting table Glossary of termsProxy server ScriptSpooﬁng 391TCP/IP 392Index 393Index 394Ntlm 395VPN 396133 397