23.5 User accounts and groups in traffic rules

Such a rule enables the specified users to connect to the Internet (if authenticated). However, these users must open the WinRoute interface’s login page manually and au- thenticate (for details, see chapter 8.1).

However, with such a rule defined, all methods of automatic authentication will be in- effective (i.e. redirecting to the login page, NTLM authentication as well as automatic authentication from defined hosts). The reason is that the automatic authentication (or redirection to the login page) is not invoked unless connection to the Internet is being established (for license counting reasons — see chapter 4.6). However, this NAT rule blocks any connection unless the user is authenticated.

Enabling automatic authentication

The automatic user authentication issue can be solved easily as follows:

Add a rule allowing an unlimited access to the HTTP service before the NAT rule.

Figure 23.9 These traffic rules enable automatic redirection to the login page

In URL rules (see chapter 10.2), allow specific users to access any Web site and deny any access to other users.

Figure 23.10 These URL rules enable specified users to access any Web site

User not authenticated yet who attempts to open a Web site will be automatically redi- rected to the authentication page (or authenticated by NTLM, or logged in from the corresponding host). After a successful authentication, users specified in the NAT rule (see figure 23.9) will be allowed to access also other Internet services. As well as users not specified in the rules, unauthenticated users will be disallowed to access any Web site or/and other Internet services.

371

Page 371
Image 371
Kerio Tech Firewall6 manual Enabling automatic authentication, 371