Manuals
/
Kerio Tech
/
Computer Equipment
/
Network Router
Kerio Tech
Firewall6
manual
323, Filial office default traffic rules for Kerio VPN
Models:
Firewall6
1
323
398
398
Download
398 pages
11.9 Kb
320
321
322
323
324
325
326
327
Troubleshooting
Install
Password
Error Log
Login
Administrator’s Guide
Reset interface statistics
Remote Access
Connection Failover Setup
Port mapping timeout
Page 323
Image 323
21.5 Example of Kerio VPN configuration: company with a filial office
Figure 21.22
Filial — no restrictions are applied to accessing the Internet from the LAN
Figure 21.23
A filial — it is not necessary to create rules for the Kerio VPN server
Figure 21.24
Filial office — default traffic rules for Kerio VPN
323
Page 322
Page 324
Page 323
Image 323
Page 322
Page 324
Contents
Kerio Technologies
Administrator’s Guide
Page
Contents
113
Remote Administration and Update Checks 209
Kerio Clientless SSL-VPN 355
393
Quick Checklist
Page
Kerio WinRoute Firewall
Basic Features
Introduction
Kerio WinRoute Firewall
Additional Features
User quotas
Antivirus control
Transparent support for Active Directory
Email alerts
Port collision
Conflicting software
Clientless SSL-VPN
Collision of low-level drivers
Antivirus applications
System requirements
Installation
Installation
Steps to be taken before the installation
Installation and Basic Configuration Guide
Custom installation selecting optional components
Protection of the installed product
Conflicting Applications and System Services
WinRoute Engine Monitor
WinRoute Components
WinRoute Firewall Engine
WinRoute Engine Monitor
Kerio Administration Console
WinRoute Engine Monitor
Upgrade and Uninstallation
Typically the path C\Program Files\Kerio\WinRoute Firewall
Upgrade and Uninstallation
Uninstallation
Configuration Wizard
Upgrade from WinRoute Pro
Update Checker
Setting of administration username and password
Remote IP address
Remote Access
Enable remote access
Initial configuration Allowing remote administration
Administration Window
WinRoute Administration
Help menu
WinRoute Administration
Administration Window Main menu
File
Detection of WinRoute Firewall Engine connection drop-out
Administration Window
Status bar
Column customization in Interfaces
View Settings
View Settings
License types optional components
Product Registration and Licensing
License types and number of users
Deciding on a number of users licenses
License types and number of users
Homepage
License information
Product
Copyright
Number of users
License ID
Subscription expiration date
Product expiration date
Registration of the trial version
Registration of the product in the Administration Console
Trial version registration security code
Registration of the product in the Administration Console
Trial version registration other information
Trial version registration Trial ID
Registration of the purchased product
Product Registration and Licensing
Registration of the product in the Administration Console
10 Product registration user information
12 Product registration summary
Update of registration information
Product registration at the website
Subscription / Update Expiration
Bubble alerts
Subscription / Update Expiration
15 The notice that the subscription has already expired
User counter
License counter
User counter
Start WinRoute
License release
IP Address and Mask
Settings for Interfaces and Network Services
Network interfaces
Interface
Modify
Dial or Hang Up /Enebale, Disable
Adapter info
Add
VPN server
Refresh
Special interfaces
Dial-In
Interface type selection
Bind this interface
RAS Entry
Use login data from the RAS entry
Use the following login data
Interface name
Dial-up demand dial
Connection
Advanced
Hangup if idle
Edit Interface parameters
Connection Failover
Current connection
Connection Failover Setup
Enable automatic connection failover
Connection Failover
Configuration of primary and secondary Internet connection
Dial-up Use
Primary connection
Secondary connection
DNS Forwarder configuration
DNS Forwarder
DNS forwarding
Enable DNS forwarding
DNS Forwarder
Use custom forwarding
Enable cache for faster response of repeated queries
Enable DNS forwarding
Clear cache
10 Specific settings of DNS forwarding
11 DNS forwarding a new rule
Simple DNS resolution
Combine the name ... with DNS domain
Before forwarding a query
Dhcp server
Definition of Scopes and Reservations
Dhcp server
Dhcp Server Configuration
Domain
Lease time
DNS server
Wins server
15 Dhcp server IP scopes definition
Description
Exclusions
First address, Last address
Subnet mask
Parameters
00bca5f21e50
Lease Reservations
Leases
Bc-a5-f2-1e-50
20 Dhcp server list of leased and reserved IP addresses
Windows RAS
Dhcp server advanced options
Declined options
Proxy server
Proxy Server Configuration
Enable non-transparent proxy server
Proxy server
22 Http proxy server settings
Enable connection to any TCP port
Http//192.168.1.13128/pac/proxy.pac
Forward to parent proxy server
Http protocol TTL
Enable cache on transparent proxy
Enable cache on proxy server
Http cache
Cache size
Http cache
Cache Options
Memory cache size
Max Http object size
URL
URL Specific Settings
TTL
Cache status and administration
26 Http cache administration dialog
Network Rules Wizard
Traffic Policy
Selection of Internet connection type
Network Rules Wizard
Information
Network Policy Wizard selection of a connected adapter
Network adapter or dial-up selection
Allow access to all services
Internet access limitations
Enabling Kerio VPN traffic
Allow access to the following services only
Service
Service is running on
Generating the rules
NAT
Icmp traffic
Rules Created by the Wizard
Local Traffic
Firewall Traffic
Name
How traffic rules work
Definition of Custom Traffic Rules
12 Traffic rule name, color and rule description
Source, Destination
IP range e.g
Definition of Custom Traffic Rules
100
Service
101
Action
102
Log
103
Translation
20 Traffic rule destination address translation
104
105
Valid on
Protocol inspector
Destination
Basic Traffic Rule Types
IP Translation NAT
Source
107
Translation
Placing the rule
Port mapping
108
109
Limiting Internet Access
Multihoming
110
111
Exclusions
112
Speed limits for users with their quota exceeded
How the bandwidth limiter works and how to use it
Speed limits for big data volumes transmissions
Bandwidth Limiter
114
Setting limit values
Bandwidth Limiter configuration
Bandwidth Limiter
115
Services
Advanced Options
116
IP Addresses and Time Interval
117
Bandwidth Limiter selection of network services
118
Detection of connections with large data volume transferred
119
Detection of connections with large data volume transferred
Examples
120
121
User Authentication
Firewall User Authentication
122
User Authentication
User authentication advanced options
Automatic authentication Ntlm
Firewall User Authentication
Redirection to the authentication
Enable non-transparent proxy server authentication
124
Automatically logout users when they are inactive
Web Interface Parameters Configuration
Enable Kerio SSL-VPN server
Enable Web Interface Http
Web Interface
WinRoute server name
Enable secured Web Interface Https
Allow access only from these IP addresses
Web Interface
127
Configuration of ports of the Web Interface
128
SSL Certificate for the Web Interface
Generate or Import Certificate
SSL certificate of WinRoute’s Web interface
129
130
Login/logout
Web Interface Language Preferences
Users logged
131
Login/logout
Drdolittle@usoffice.company.com
132
User password authentication
Log out
133
Status information and user statistics
Status information and user statistics
134
User preferences
135
Save settings
User preferences
136
10 Editing user password
137
Http protocol
FTP protocol
138
Conditions for Http and FTP filtering
URL Rules
139
URL Rules
140
URL Rules Definition
141
If user accessing the URL is
URL matches criteria
142
Allow access to the Web site
Denial options
Valid at time interval
Valid for IP address group
Valid if Mime type is
144
WWW content scanning options
Scan content for viruses according to scanning rules
Deny Web pages containing
145
Http Inspection Advanced Options
146
Global rules for Web elements
Allow Html ActiveX objects
Allow Script Html tags
Allow cross-domain referrer
Content Rating System ISS OrangeWeb Filter
Allow Html JavaScript pop-up windows
Allow applet Html tags
148
ISS OrangeWeb Filter configuration
ISS OrangeWeb Filter Deployment
Enable ISS OrangeWeb Filter
Categorize each page regardless of Http rules
Server
ISS OrangeWeb Filter rule
150
151
Web content filtering by word occurrence
152
Definition of rules filtering by word occurrence
153
Word groups
154
Definition of forbidden words
Keyword
Weight
FTP Policy
Group
156
If user accessing the FTP server is
FTP Rules Definition
FTP server is
15 FTP Rule basic parameters
158
Content
159
160
Antivirus control
Conditions and limitations of antivirus scan
161
Conditions and limitations of antivirus scan
162
How to choose and setup antiviruses
Antivirus control
Integrated McAfee
Current virus database is
Check for update every ... hours
Last update check performed ... ago
Update now
164
Antivirus settings
External antivirus
An example of a traffic rule for outgoing Smtp traffic check
165
Http and FTP scanning
167
Http and FTP scanning
168
Http and FTP scanning rules
Condition
169
Mime type
170
Email scanning
171
Email scanning
172
173
IP Address Groups
Creating and Editing IP Address Groups
Type
Time Intervals
Definitions
Name
Daily
Time range types
Absolute
Weekly
176
Time Interval Type
From, To
Valid at days
177
Services
Services
178
Protocol
Protocol inspector
179
Source Port and Destination Port
Protocol Inspectors
180
URL Groups
181
URL Groups
182
Definitions Group
183
User Accounts and Groups
Internal user database
Import of user accounts from Active Directory
184
Viewing and definitions of user accounts
User Accounts and Groups
Local user accounts
186
Local user accounts
Accounts mapped from the Active Directory domain
Edit User
Full Name
Local user accounts
Creating a local user account
Basic information
Domain template
Authentication
Account is disabled
Email Address
189
NT domain / Kerberos
Groups
190
Access rights
User can override WWW content rules
No access to administration
Read only access to administration
Full access to administration
192
Data transmission quota
Transfer quota
193
Content rules
Quota exceed action
194
User’s IP addresses
195
Editing User Account
196
Active Directory
NT domain
197
Automatic import of user accounts from Active Directory
198
Manual import of user accounts
199
Active Directory domains mapping
Active Directory domains mapping
Domain mapping requirements
200
Domain Access
Single domain mapping
Active Directory mapping
13 Active Directory domain mapping
201
202
NT authentication support
Multiple domains mapping
16 Conversion of user accounts
203
204
User groups
User groups Definitions
205
User groups
Creating a new local user group
Name and description of the group
206
Group access rights
Read only access
Group members
207
Users can override WWW content rules
Users can connect using VPN
208
Users are allowed to use P2P networks
Users are allowed to view statistics
209
Remote Administration and Update Checks
Setting Remote Administration
How to allow remote administration from the Internet
210
Update Checking
Remote Administration and Update Checks
Check now
Update Checking
Check for new versions
Check also for beta versions
212
213
Advanced security features
15.1 P2P Eliminator
P2P Eliminator Configuration
214
Advanced security features
215
15.1 P2P Eliminator
Parameters for detection of P2P networks
216
Special Security Settings
217
Special Security Settings
Anti-Spoofing
Connections Count Limit
IPSec preferences
VPN using IPSec Protocol
Enable
Enable pass-through only for hosts
219
VPN using IPSec Protocol
WinRoute’s IPSec configuration
IPSec client in local network
Traffic rule for one IPSec client in the local network
220
221
IPSec server in local network
Routing table
Other settings
223
Routing table
Route Types
Static routes
Metric
Definitions of Dynamic and Static Rules
Network, Network Mask
Gateway
How demand dial works
Demand Dial
Demand Dial
Removing routes from the Routing Table
226
227
Technical Peculiarities and Limitations
228
Setting Rules for Demand Dial
229
Dial of local DNS names
Configuration of the UPnP support
Enable UPnP
Port mapping timeout
Universal Plug-and-Play UPnP
Log connections
Relay Smtp server
Relay Smtp server
Log packets
232
Smtp requires authentication
Specify sender email address in From header
Test
233
234
Status Information
Active hosts and connected users
User
Login time
Login duration
Hostname
Active Hosts dialog options
Detailed information on a selected host and user
238
Traffic information
239
Activity Description
Connections
240
Source, Destination
241
Histogram
242
Show connections related to the selected process
243
Show connections related to the selected process
244
Options of the Connections Dialog
Kill connection
245
Color Settings
Font Color
Background Color
246
Alerts Settings
Alerts
247
Alerts
Alert
248
Alert Templates
249
\Program Files\Kerio\WinRoute Firewall\templates by default
Alerts overview in Administration Console
13 Details of a selected event
250
251
Basic statistics
Interface statistics
252
Reset interface statistics
Basic statistics
Interface Statistics menu
253
Interface statistics
Remove interface statistics
Graphical view of interface load
254
User Statistics data volumes and quotas
255
User Statistics data volumes and quotas
User Statistics dialog options
256
Reset user statistics
Remove user statistics
View host
257
Kerio StaR statistics and reporting
Monitoring and storage of statistic data
258
Settings for statistics and quota
Kerio StaR statistics and reporting
Requirements of the statistics
259
Settings for statistics and quota
Enable/disable gathering of statistic data
Advanced settings for statistics
260
Statistics and quota restrictions
Statistics and quota accounting periods
Accessing the statistics from the WinRoute host
Remote access to the statistics
Connection to StaR and viewing statistics
262
StaR page in the web interface
263
Accounting period
Custom accounting period
264
265
Overall View
Overall View
266
Top Requested Web Categories
Top 5 users
267
Used Protocol
268
269
User statistics
User statistics
13 The Users by Traffic table
Users by Traffic
Top Visited Websites
Top Visited Websites
272
Top Requested Web Categories
16 Top visited websites sorted by categories
273
274
275
Log settings
Logs
Filename.log
276
File Logging
277
Log settings
Syslog Logging
Logs Context Menu
Select font
Logs Context Menu
Find
Highlighting
Log highlighting
Logs Encoding
Log debug
Clear log
Log highlighting settings
282
Debug log advanced settings
Alert Log
Alert Log
284
20.4 Config Log
Logs
285
Connection Log
Connection Log
286
Debug Log
Dial Log
Page
288
15/Mar/2004 155912 Line Connection disconnected
289
Error Log
Error Log
290
’McAfee update’ rule name
Filter Log
291
Http log
Http log
292
1058444114.733 0 192.168.64.64 TCPMISS/304
293
Security Log
Security Log
294
Authentication service Client IP address reason
17/Dec/2004 122243 Engine Shutdown
Sslvpn Log
Sslvpn Log
17/Dec/2004 121133 Engine Startup
24/Apr/2003 102951 192.168.44.128 james
Web Log
Web Log 297
298
Kerio VPN
299
VPN Server Configuration
IP address assignment
Enable VPN server
Kerio VPN
General
301
SSL certificate
302
Advanced
Listen on port
303
Custom Routes
304
21.2 Configuration of VPN clients
Basic configuration of traffic rules for VPN clients
305
Setting up VPN servers
Definition of a tunnel to a remote server
Name of the tunnel
306
Configuration
307
Configuration of a remote end of the tunnel
308
DNS Settings
Routing settings
309
Connection establishment
310
Traffic Policy Settings for VPN
311
Exchange of routing information
Exchange of routing information
Routing configuration options
312
Update of routing tables
Routes provided automatically
313
Example of Kerio VPN configuration company with a filial office
Specification
314
Common method
315
316
Headquarters configuration
317
14 Headquarter creating default traffic rules for Kerio VPN
16 Headquarter DNS forwarder configuration
318
319
19 Headquarters VPN server configuration
320
321
LAN
322
Configuration of a filial office
323
24 Filial office default traffic rules for Kerio VPN
25 Filial office DNS forwarder configuration
324
325
28 Filial office VPN server configuration
326
29 Filial office definition of VPN tunnel for the headquarters
327
328
Example of a more complex Kerio VPN configuration
VPN test
329
Common method
330
331
332
33 Headquarter creating default traffic rules for Kerio VPN
35 Headquarter DNS forwarder configuration
333
Kerio VPN
38 Headquarters VPN server configuration
335
39 Headquarter definition of VPN tunnel for the London filial
336
337
338
43 Headquarter final traffic rules
339
340
Configuration of the London filial
341
46 The London filial office default traffic rules for Kerio VPN
342
48 The London filial office DNS forwarding settings
343
344
345
54 The London filial office final traffic rules
346
347
Configuration of the Paris filial
57 The Paris filial office DNS forwarder configuration
348
59 The Paris filial office VPN server configuration
349
350
351
352
64 The Paris filial office final traffic rules
353
354
355
Kerio Clientless SSL-VPN
22.1 Configuration of WinRoute’s SSL-VPN
SSL-VPN configuration
356
Allowing access from the Internet
Kerio Clientless SSL-VPN
Https//server12345
Usage of the SSL-VPN interface
Usage of the SSL-VPN interface
Https//server
358
Sidneywashington@usoffice.company.com
Handling files and folders
359
\\server\folder\subfolder
Antivirus control
Bookmarks
360
Troubleshooting
Detection of incorrect configuration of the default gateway
23.2 Configuration Backup and Transfer
Dnscache.cfg
Sslcert
License
Cache.CFS
363
Handling configuration files Configuration backup recovery
Star
List name=Interfaces
365
Automatic user authentication using Ntlm
General conditions
366
WinRoute Configuration
Microsoft Internet Explorer
Automatic user authentication using Ntlm
Ntlm authentication process
Web browsers
368
Firefox/Netscape/Mozilla/SeaMonkey
Firefox/Netscape/Mozilla/SeaMonkey configuration
369
Partial Retirement of Protocol Inspector
Partial Retirement of Protocol Inspector
370
How to enable certain users to access the Internet
User accounts and groups in traffic rules
371
Enabling automatic authentication
372
FTP on WinRoute’s proxy server
Example of a client configuration web browser
373
Example of a client configuration Total Commander
FTP on WinRoute’s proxy server
374
12 Setting proxy server for FTP in Total Commander
375
Network Load Balancing
Basic Information and System Requirements
Network Configuration
376
Network Load Balancing
377
24.3 Configuration of the servers in the cluster
NLB configuration for Server1
Server 1 cluster parameters
378
379
NLB configuration for Server2
380
Technical support
Essential Information
Description
License type and license number
Error Log Files
Tested in Beta version
Informational File
Czech Republic
Contacts
United Kingdom
Legal Presumption
384
Used open-source libraries
Libiconv
OpenSSL
385
Prototype
Copyright 2005 Sam Stephenson
Zlib
Cluster
Default gateway
Glossary of terms
ActiveX
387
Firewall
Greylisting
388
Glossary of terms IP address
IPSec
Kerberos
Port
Network adapter
P2P network
Packet
Script
Glossary of terms
Proxy server
Routing table
391
Spoofing
392
TCP/IP
393
Index
394
Index
395
Ntlm
396
VPN
397
133
Top
Page
Image
Contents