Kerio Tech KERIO WINROUTE FIREWALL 6 User Manual

Kerio WinRoute Firewall 6Administrator’s GuideKerio Technologies s.r.o.

Chapter 2 Introduction10Support for Windows 7Kerio WinRoute Firewall now includes full support for the new operating system MicrosoftWindows 7.2.2 Con

Chapter 7 Traffic Policy100ExampleA banking application (client) communicates with the bank’s server through its proper proto-col which uses TCP protoco

7.8 Use of Full cone NAT101Note: In the default configuration of the Traffic rules section, the Protocol inspector columnis hidden. To show it, modify se

Chapter 7 Traffic Policy102Figure 7.39 Definition of a Full cone NAT traffic rule• Source — IP address of an SIP telephone in the local network.• Destinati

7.9 Media hairpinning103Example: Two SIP telephones in the LANLet us suppose two SIP telephones are located in the LAN. These telephones authenticate

104Chapter 8Configuration of network servicesThis chapter provides guidelines for setting of basic services in WinRoute helpful for easyconfiguration an

8.1 DNS module105The DNS module configurationBy default, DNS server (the DNS forwarder service), cache (for faster responses to repeatedrequests) and s

Chapter 8 Configuration of network services106Note:1. Time period for keeping DNS logs in the cache is specified individually in each log(usually 24 hou

8.1 DNS module107Figure 8.2 Editor of the Hosts system fileLocal DNS domainIn the When resolving name from the ’hosts’ file or lease table combine it wi

Chapter 8 Configuration of network services108Enable DNS forwardingThe DNS module allows forwarding of certain DNS requests to specific DNS servers. Thi

8.1 DNS module109queries concerning names and reversed queries are independent from each other. For betterreference, it is recommended to start with a

2.3 System requirements11• 53/UDP — DNS module,• 67/UDP — DHCP server,• 1900/UDP — the SSDP Discovery service,• 2869/TCP — the UPnP Host service.The S

Chapter 8 Configuration of network services110WarningIn rules for DNS requests, it is necessary to enter an expression matching the full DNSname! If, f

8.2 DHCP server111DHCP Server ConfigurationTo configure the DHCP server in WinRoute go to Configuration → DHCP Server. Here you candefine IP scopes, reser

Chapter 8 Configuration of network services112Figure 8.6 DHCP server — default DHCP parametersDNS serverAny DNS server (or multiple DNS servers separat

8.2 DHCP server113Figure 8.7 DHCP server — IP scopes definitionFirst address, Last addressFirst and last address of the new scope.Note: If possible, we

Chapter 8 Configuration of network services114ExampleIn 192.168.1.0 subnet you intend to create two scopes: from 192.168.1.10to 192.168.1.49 and from 1

8.2 DHCP server115Figure 8.9 DHCP server — DHCP settingsTo view configured DHCP parameters and their values within appropriate IP scopes see theright c

Chapter 8 Configuration of network services116Figure 8.11 DHCP server — reserving an IP address• hardware (MAC) address of the host — it is defined by h

8.2 DHCP server117Figure 8.12 DHCP server — list of leased and reserved IP addresses• MAC Address — hardware address of the host that the IP address i

Chapter 8 Configuration of network services118the MAC address or name of the host that the address is currently assigned to. The Scopes tabwith a dialo

8.3 Dynamic DNS for public IP address of the firewall119Warning1. DHCP server cannot assign addresses to RAS clients connecting to the RAS serverdirect

Chapter 2 Introduction12• 50 MB free disk space for installation of Kerio WinRoute Firewall.• Disk space for statistics (see chapter 21) and logs (in

Chapter 8 Configuration of network services120• free — user can choose from several second level domains (e.g. no-ip.org,ddns.info, etc.) and select a

8.4 Proxy server121Figure 8.14 Setting cooperation with dynamic DNS serverOn the Dynamic DNS tab, select a DDNS provider, enter DNS name for which dyn

Chapter 8 Configuration of network services122Proxy server can receive and process clients’ queries locally. The line will not be dialed ifaccess to th

8.4 Proxy server123Enable non-transparent proxy serverThis option enables the HTTP proxy server in WinRoute on the port inserted in the Portentry (312

Chapter 8 Configuration of network services124where 192.168.1.1 is the IP address of the WinRoute host and number 3128 representsthe port of the proxy

8.5 HTTP cache125Figure 8.16 HTTP cache configurationEnable cache on proxy serverEnables the cache for HTTP traffic via WinRoute’s proxy server (see chap

Chapter 8 Configuration of network services126WarningChanges in this entry will not be accepted unless the WinRoute Firewall Engine isrestarted. Old ca

8.5 HTTP cache127WarningSome web servers may attempt to bypass the cache by too short/long TTL.• Ignore server Cache-Control directive — WinRoute will

Chapter 8 Configuration of network services128Rules within this dialog are ordered in a list where the rules are read one by one from the topdownwards

8.5 HTTP cache129Figure 8.19 HTTP cache administration dialogExampleSearch for the*ker?o*string lists all objects with URL matching the specification,

2.4 Installation - Windows13Note:1. WinRoute installation packages include the Kerio Administration Console. The separateKerio Administration Console

130Chapter 9Bandwidth LimiterThe main problem of shared Internet connection is when one or more users download orupload big volume of data and occupy

9.2 Bandwidth Limiter configuration131Figure 9.1 Bandwidth Limiter configurationThe Bandwidth Limiter module enables to define reduction of speed of inco

Chapter 9 Bandwidth Limiter132services if too much big data volumes are transferred). If they are lower, full line capacity isoften not employed.Warni

9.2 Bandwidth Limiter configuration133Figure 9.2 Bandwidth Limiter — network servicesFigure 9.3 Bandwidth Limiter — selection of network servicesIP Add

Chapter 9 Bandwidth Limiter134addresses across the local network and the Internet. Where user workstations use fixedIP addresses, it is also possible t

9.3 Detection of connections with large data volume transferred135cally. With exception of special conditions (testing purposes) it is highly recommen

Chapter 9 Bandwidth Limiter136Examples:The detection of connections transferring large data volumes will be better understoodthrough the following exa

137Chapter 10User AuthenticationWinRoute allows administrators to monitor connections (packet, connection, Web pages orFTP objects and command filterin

Chapter 10 User Authentication138• Redirection — when accessing any website (unless access to this page is explicitlyallowed to unauthenticated users

10.1 Firewall User Authentication139Redirection to the authentication pageIf the Always require users to be authenticated when accessing web pages opt

Chapter 2 Introduction14Figure 2.1 Installation — customization by selecting optional components• Kerio WinRoute Firewall Engine — core of the applica

Chapter 10 User Authentication140available for other operating systems.For details, refer to chapter 25.3.Automatically logout users when they are ina

141Chapter 11Web InterfaceWinRoute includes a special web server which provides an interface where statistics can beviewed (Kerio StaR), as well as fo

Chapter 11 Web Interface142Figure 11.1 Configuration of WinRoute’s Web InterfaceThe name need not be necessarily identical with the host name, however,

11.1 Web interface preferences143Configuration of ports of the Web InterfaceUse the TCP ports section to set ports for unencrypted and encrypted versio

Chapter 11 Web Interface144SSL Certificate for the Web InterfaceThe principle of an encrypted WinRoute Web interface is based on the fact that all comm

11.1 Web interface preferences145Figure 11.3 SSL certificate of WinRoute’s Web interfaceFigure 11.4 Creating a new “self-signed” certificate for WinRout

Chapter 11 Web Interface146Verisign, Thawte, SecureSign, SecureNet, Microsoft Authenticode, etc.).To import a certificate, open the certificate file (*.c

147Chapter 12HTTP and FTP filteringWinRoute provides a wide range of features to filter traffic using HTTP and FTP protocols.These protocols are the most

Chapter 12 HTTP and FTP filtering148An appropriate protocol inspector is activated automatically unless its use is denied bytraffic rules. For details, r

12.2 URL Rules149access to other web pages, a rule denying access to any URL must be placed at the end of therule list.The following items (columns) c

2.4 Installation - Windows15• all checked components will be installed or updated,• all checked components will not be installed or will be removedDur

Chapter 12 HTTP and FTP filtering150Figure 12.2 URL Rule — basic parametersfor example a rule allowing access to certain pages without authenticationca

12.2 URL Rules151(wildcard matching) to substitute any number of characters (i.e.*.kerio.com*)Server names represent any URL at a corresponding server

Chapter 12 HTTP and FTP filtering152Figure 12.3 URL Rule — advanced parametersDenial optionsAdvanced options for denied pages. Whenever a user attempts

12.2 URL Rules153another page (see below).• A blank page — user will not be informed why access to the required page wasdenied.• Another page — user’s

Chapter 12 HTTP and FTP filtering154HTTP Inspection Advanced OptionsClick on the Advanced button in the HTTP Policy tab to open a dialog where paramete

12.3 Content Rating System (Kerio Web Filter)155According to the classification of the page the user will be either allowed or denied to accessthe page

Chapter 12 HTTP and FTP filtering156Categorize each page regardless of HTTP rulesIf this option is enabled, Kerio Web Filter categorization will be app

12.3 Content Rating System (Kerio Web Filter)157Figure 12.7 Kerio Web Filter rule

Chapter 12 HTTP and FTP filtering158Figure 12.8 Selection of Kerio Web Filter categoriesNote:1. You can define multiple URL rules that will use the Keri

12.4 Web content filtering by word occurrence159So called forbidden words are used to filter out web pages containing undesirable words. URLrules (see c

Chapter 2 Introduction162. Universal Plug and Play Device Host and SSDP Discovery ServiceThe services support UPnP (Universal Plug and Play) in the Wi

Chapter 12 HTTP and FTP filtering160• On the Content Rules tab, check the Deny Web pages containing... option to enablefiltering by word occurrence.Figu

12.4 Web content filtering by word occurrence161Individual groups and words included in them are displayed in form of trees. To enablefiltering of parti

Chapter 12 HTTP and FTP filtering162WeightWord weight the level of how the word affects possible blocking or allowing of accessto websites. The weight s

12.5 FTP Policy163FTP Rules DefinitionTo create a new rule, select a rule after which the new rule will be added, and click Add. Youcan later use the a

Chapter 12 HTTP and FTP filtering164Open the General tab to set general rules and actions to be taken.DescriptionDescription of the rule (information f

12.5 FTP Policy165Figure 12.15 FTP Rule — advanced settingsValid at time intervalSelection of the time interval during which the rule will be valid (a

Chapter 12 HTTP and FTP filtering166Scan content for viruses according to scanning rulesUse this option to enable/disable scanning for viruses for FTP

167Chapter 13Antivirus controlWinRoute provides antivirus check of objects (files) transmitted by HTTP, FTP, SMTP and POP3protocols. In case of HTTP an

Chapter 13 Antivirus control168For details, see chapter 13.4.• Object transferred by other than HTTP, FTP, SMTP and POP3 protocols cannot bechecked by

13.2 How to choose and setup antiviruses169Figure 13.2 Antivirus selection (integrated antivirus)Figure 13.3 Scheduling McAfee updatesCheck for update

2.5 Initial configuration wizard (Windows)17warning log. This helps assure that the service will be enabled/started immediately afterthe WinRoute insta

Chapter 13 Antivirus control170Last update check performed ... agoTime that has passed since the last update check.Virus database versionDatabase vers

13.2 How to choose and setup antiviruses171Use the Options button to set advanced parameters for the selected antivirus. Dialogs for in-dividual antiv

Chapter 13 Antivirus control172network send their email via an SMTP server located in the Internet. Checking of outgoingSMTP traffic is not apt for loca

13.3 HTTP and FTP scanning173To set parameters of HTTP and FTP antivirus check, open the HTTP, FTP scanning tab inConfiguration → Content Filtering → A

Chapter 13 Antivirus control174WarningWhen handling files in the quarantine directory, please consider carefully each actionyou take, otherwise a virus

13.3 HTTP and FTP scanning175Figure 13.8 Definition of an HTTP/FTP scanning ruleDescriptionDescription of the rule (for reference of the WinRoute admin

Chapter 13 Antivirus control176If the object does not match with any rule, it will be scanned automatically. If only selectedobject types are to be sc

13.4 Email scanning177Figure 13.9 Settings for SMTP and POP3 scanningThe quarantine subdirectory under the WinRoute directory is used for the quaranti

Chapter 13 Antivirus control178• Enable TLS. This alternative is suitable for such cases where protection from wiretap-ping is prior to antivirus chec

13.5 Scanning of files transferred via Clientless SSL-VPN (Windows)179Transfer directionsUse the top section of the SSL-VPN Scanning tab to set to whic

Chapter 2 Introduction18Password and its confirmation must be entered in the dialog for account settings. Name Admincan be changed in the Username edit

180Chapter 14Definitions14.1 IP Address GroupsIP groups are used for simple access to certain services (e.g. WinRoute’s remote administration,Web serve

14.2 Time Ranges181Figure 14.2 IP group definitionTypeType of the new item:• Host (IP address or DNS name of a particular host),• Network / Mask (subne

Chapter 14 Definitions182Figure 14.3 WinRoute’s time intervalsTime range typesWhen defining a time interval three types of time ranges (subintervals) ca

14.3 Services183Figure 14.4 Time range definitionValid onDefines days when the interval will be valid. You can either select particular weekdays(Selecte

Chapter 14 Definitions184Figure 14.5 WinRoute’s network servicesClicking on the Add or the Edit button will open a dialog for service definition.Figure

14.3 Services185DescriptionComments for the service defined. It is strongly recommended describing each definition,especially with non-standard services

Chapter 14 Definitions186Figure 14.8 Service definition — source and destination port settingProtocol InspectorsWinRoute includes special subroutines th

14.4 URL Groups187Note:1. Generally, protocol inspectors cannot be applied to secured traffic (SSL/TLS). In this case,WinRoute “perceives” the traffic as

Chapter 14 Definitions188Matching fields next to each item of the group can be either checked to activate or uncheckedto disable the item. This way you

14.4 URL Groups189DescriptionThe item’s description (comments and notes for the administrator).

2.6 Upgrade and Uninstallation - Windows19Enable remote accessThis option enables full access to the WinRoute computer from a selected IP addressRemot

190Chapter 15User Accounts and GroupsUser accounts in WinRoute improve control of user access to the Internet from the local net-work. User accounts c

15.1 Viewing and definitions of user accounts191Transparent cooperation with Active Directory (Active Directory mapping)WinRoute can use accounts and g

Chapter 15 User Accounts and Groups192The searching is helpful especially when the domain includes too many accounts whichmight make it difficult to loo

15.2 Local user accounts193Note: It is also possible to select more than one account by using the Ctrl and Shiftkeys to perform mass changes of parame

Chapter 15 User Accounts and Groups194Figure 15.2 Local user accounts in WinRouteStep 1 — basic informationFigure 15.3 Creating a user account — basic

15.2 Local user accounts195WarningThe user name is not case-sensitive. We recommend not to use special characters (non-English languages) which might

Chapter 15 User Accounts and Groups196Warning1. Passwords may contain printable symbols only (letters, numbers, punctuationmarks). Password is case-se

15.2 Local user accounts197Step 3 — access rightsFigure 15.5 Creating a new user account — user rightsEach user must be assigned one of the following

Chapter 15 User Accounts and Groups198is displayed. The unlock feature must also be enabled in the corresponding URL rule (fordetails, refer to chapte

15.2 Local user accounts199Figure 15.6 Creating a new user account — data transmission quotamake such users to reduce their network activities). For d

 Kerio Technologies s.r.o. All rights reserved.This guide provides detailed description on configuration and administration of KerioWinRoute Firewall,

Chapter 2 Introduction20Figure 2.5 Uninstallation — asking user whether files created in WinRoute should be deletedKeeping these files may be helpful fo

Chapter 15 User Accounts and Groups200Don’t block further traffic mode• resetting of the data volume counter of the user (see chapter 20.1).2. Actions f

15.2 Local user accounts201Pop-up windowsAutomatic opening of new browser windows — usually pop-up windows with advertise-ments.This option will allow

Chapter 15 User Accounts and Groups202Figure 15.8 Creating a new user account — IP addresses for VPN client and automatic loginsAutomatic login can be

15.3 Local user database: external authentication and import of accounts20315.3 Local user database: external authentication and import of accountsUse

Chapter 15 User Accounts and Groups204Figure 15.9 Import of accounts from Active DirectoryFigure 15.10 Importing accounts from the Windows NT domain15

15.4 User accounts in Active Directory — domain mapping205Directory and forward them to the corresponding domain server. If another DNSserver is used,

Chapter 15 User Accounts and Groups206The first page of the wizard requires the full name of the Active Directory domain (e.g.company.com) and name and

15.4 User accounts in Active Directory — domain mapping207Figure 15.13 Advanced options for cooperation with the Active Directory.If WinRoute is insta

Chapter 15 User Accounts and Groups208Secured connection to the domain serverFor higher security (to prevent from tapping of traffic and exploiting user

15.4 User accounts in Active Directory — domain mapping209Use buttons Add or Edit to open a dialog for a new domain definition and enter parameters oft

2.7 Installation - Software Appliance and VMware Virtual Appliance21Start of the installationSoftware ApplianceISO image of the installation CD can be

Chapter 15 User Accounts and Groups21015.5 User groupsUser accounts can be sorted into groups. Creating user groups provides the following benefits:• S

15.5 User groups211The searching is helpful especially when the domain includes too many groups whichmight make it difficult to look up particular items

Chapter 15 User Accounts and Groups212Using the Add and Remove buttons you can add or remove users to/from the group. If useraccounts have not been cr

15.5 User groups213Additional rights:Users can override WWW content rulesUser belonging to the group can customize personal web content filtering setti

214Chapter 16Administrative settings16.1 System configuration (Software Appliance / VMware Virtual Appli-ance)In the Software Appliance / VMware Virtua

16.2 Setting Remote Administration215firewall’s system time. The time zone also includes information about daylight savingtime settings.Kerio Technolog

Chapter 16 Administrative settings216HintIn WinRoute, you can use a similar method to allow or block remote administration of KerioMailServer — for co

16.3 Update Checking217• 2 minutes after each startup of the WinRoute Firewall Engine,• and then every 24 hours.Results of each attempted update check

218Chapter 17Advanced security features17.1 P2P EliminatorPeer-to-Peer (P2P) networks are world-wide distributed systems, where each node can repre-se

17.1 P2P Eliminator219Figure 17.1 Detection settings and P2P Eliminatorallowance of only certain services and length of the period for which restricti

Chapter 2 Introduction22virtual computer allows this) adapter or install WinRoute Software Appliance on another typeof virtual machine. If such issue

Chapter 17 Advanced security features220Note:1. If a user who is allowed to use P2P networks (see chapter 15.1) is connected to the fire-wall from a ce

17.2 Special Security Settings221Number of suspicious connectionsBig volume of connections established from the client host is a typical feature of P2

Chapter 17 Advanced security features222Figure 17.4 Security options — Anti-Spoofing and cutting down number of connections for one hostAnti-SpoofingAnt

17.2 Special Security Settings223These restrictions protects firewall (WinRoute host) from overload and may also help protectit from attacks to the tar

224Chapter 18Other settings18.1 Routing tableUsing Administration Console you can view or edit the system routing table of the host whereWinRoute is r

18.1 Routing table225Note: Changes in the routing table might interrupt the connection between the WinRoute Fire-wall Engine and the Administration Co

Chapter 18 Other settings226Figure 18.2 Adding a route to the routing tableNetwork, Network MaskIP address and mask of the destination network.Interfa

18.2 Universal Plug-and-Play (UPnP)227Removing routes from the Routing TableUsing the Remove button in the WinRoute admin console, records can be remo

Chapter 18 Other settings228Enable UPnPThis option enables UPnP.WarningIf WinRoute is running on Windows XP, Windows Server 2003, Windows Vista or Win

18.3 Relay SMTP server22918.3 Relay SMTP serverWinRoute provides a function which enables notification to users or/and administrators byemail alerts. T

2.8 Upgrade - Software Appliance / VMware Virtual Appliance232.8 Upgrade - Software Appliance / VMware Virtual ApplianceWinRoute can be upgraded by th

Chapter 18 Other settings230be used for reference in recipient’s mail client or for email classification. This is why it isalways recommended to specif

231Chapter 19Status InformationWinRoute activities can be well monitored by the administrator (or by other users with ap-propriate rights). There are

Chapter 19 Status Information232Figure 19.1 List of active hosts and users connected to the firewallUserName of the user which is connected from a part

19.1 Active hosts and connected users233ConnectionsTotal number of connections to and from the host. Details can be displayed in the contextmenu (see

Chapter 19 Status Information234User quotaUse this option to show quota of the particular user (Administration Console switches tothe User quota tab i

19.1 Active hosts and connected users235Login informationInformation on logged-in users:• User — name of a user, DNS name (if available) and IP addres

Chapter 19 Status Information236• FTP — DNS name or IP address of the server, size of downloaded/saved data,information on currently downloaded/saved

19.1 Active hosts and connected users237The following columns are hidden by default. They can be shown through the Modify columnsdialog opened from th

Chapter 19 Status Information238Figure 19.6 Information on selected host and user — traffic histogramSelect an item from the Time interval combo box to

19.2 Network connections overview239• connections from other hosts to services provided by the host with WinRoute• connections performed by clients wi

Chapter 2 Introduction242.10 WinRoute Engine Monitor (Windows)WinRoute Engine Monitor is a standalone utility used to control and monitor the WinRoute

Chapter 19 Status Information240Source, DestinationIP address of the source (the connection initiator) and of the destination. If there is anappropria

19.2 Network connections overview241Figure 19.8 Context menu for ConnectionsRefreshThis option will refresh the information in the Connections window

Chapter 19 Status Information242For each item either a color or the Default option can be chosen. Default colors are set in theoperating system (the c

19.4 Alerts243• IP address — public IP address of the host which the client connects from (see theHostname column above).• Client status — connecting,

Chapter 19 Status Information244Figure 19.12 Alert DefinitionsalertType of the event upon which the alert will be sent:• Virus detected — antivirus eng

19.4 Alerts245cense/subscription (or license of any module integrated in WinRoute, such asKerio Web Filter, the McAfee antivirus, etc.) is getting clo

Chapter 19 Status Information246In the Administration Console, alerts are displayed in the language currently set as preferred(see Kerio Administratio

19.4 Alerts247Figure 19.14 Details of a selected event

248Chapter 20Basic statisticsStatistical information about users (volume of transmitted data, used services, categorizationof web pages) as well as of

20.1 Volume of transferred data and quota usage249Figure 20.1 User statisticsis related to the user (the IN direction stands for data received by the

2.11 The firewall’s console (Software Appliance / VMware Virtual Appliance)25Note:1. If a limited version of WinRoute is used (e.g. a trial version), a

Chapter 20 Basic statistics250WarningBe aware that using this option for the all users item resets counters of all users, includingunrecognized ones!N

20.2 Interface statistics251Figure 20.3 Firewall’s interface statisticsExampleThe WinRoute host connects to the Internet through the Public interface

Chapter 20 Basic statistics252RefreshThis option will refresh the information on the Interface Statistics tab immediately. Thisfunction is equal to th

20.2 Interface statistics253The period (2 hours or 1 day) can be selected in the Time interval box. The selected time rangeis always understood as the

254Chapter 21Kerio StaR - statistics and reportingThe WinRoute’s web interface provides detailed statistics on users, volume of transferred data,visit

21.1 Monitoring and storage of statistic data255is represented by several files on the disk. This implies that any data is kept in the cache evenif the

Chapter 21 Kerio StaR - statistics and reporting256The following example addresses case of a mapped web server accessible from the Internet.Any (anony

21.2 Settings for statistics and quota257Enable/disable gathering of statistic dataThe Gather Internet Usage statistics option enables/disables all st

Chapter 21 Kerio StaR - statistics and reporting258Statistics and quota exceptionsOn the Exceptions tab, it is possible to define exceptions for statis

21.3 Connection to StaR and viewing statistics259For details on IP groups, see chapter 14.1.Users and groupsSelect users and/or user groups which will

Chapter 2 Introduction26Shutting down / restarting the firewallIf you need to shut your computer down or reboot it, these options provide secure closur

Chapter 21 Kerio StaR - statistics and reporting260Note: Within local systems, secured traffic would be useless and the browser would botheruser with ne

21.3 Connection to StaR and viewing statistics261Updating data in StaRFirst of all, the StaR interface is used for gathering of statistics and creatin

262Chapter 22LogsLogs are files where history of certain events performed through or detected by WinRoute arerecorded and kept. Each log is displayed i

22.1 Log settings263Figure 22.1 Log settingsFile LoggingUse the File Loggingtab to define file name and rotation parameters.Enable logging to fileUse thi

Chapter 22 Logs264Figure 22.2 File logging settingster 21.2). Rotation follows the rules described above.Syslog LoggingParameters for logging to a Sys

22.2 Logs Context Menu265Enable Syslog loggingEnable/disable logging to a Syslog server.If this option is disabled, none of the following parameters a

Chapter 22 Logs266The Save log option opens a dialog box where the following optional parameters can beset:Figure 22.5 Saving a log to a file• Target fi

22.2 Logs Context Menu267HintSelect a new encoding type if special characters are not printed correctly in non-Englishversions.Log SettingsA dialog wh

Chapter 22 Logs268Highlighting rules are ordered in a list. The list is processed from the top. The first rulemeeting the criteria stops other processi

22.3 Alert Log26922.3 Alert LogThe Alert log provides a complete history of alerts generated by WinRoute (e.g. alerts uponvirus detection, dialing and

27Chapter 3WinRoute AdministrationFor WinRoute configuration, two tools are available:The Web Administration interfaceThe Web Administration interface

Chapter 22 Logs270Example[18/Apr/2008 10:27:46] james - insert StaticRoutesset Enabled=’1’, Description=’VPN’,Net=’192.168.76.0’, Mask=’255.255.255.0’

22.6 Debug Log271• [18/Apr/2008 10:22:47] — date and time when the event was logged (note: Con-nection logs are saved immediately after a disconnectio

Chapter 22 Logs272Figure 22.8 Expression for traffic monitored in the debug logThe expression must be defined with special symbols. After clicking on the

22.7 Dial Log273• WAN / Dial-up messages information about dialed lines (request dialing, autodisconnection down-counter),• Filtering — logs proving i

Chapter 22 Logs274connection time 00:15:53, 1142391 bytes received,250404 bytes transmittedThe first log item is recorded upon reception of a hang-up r

22.8 Error Log275Another event is logged upon a successful connection (i.e. when the line is dialed, uponauthentication on a remote server, etc.).6. C

Chapter 22 Logs276• 8100-8199 — errors of the Kerio Web Filter module• 8200-8299 — authentication subsystem errors• 8300-8399 — anti-virus module erro

22.10 Http log277Packet log example[16/Apr/2008 10:51:00] PERMIT ’Local traffic’ packet to LAN,proto:TCP, len:47, ip/port:195.39.55.4:41272 ->192.1

Chapter 22 Logs278An example of an HTTP log record in the Apache format192.168.64.64 - jflyaway[18/Apr/2008:15:07:17 +0200]"GET http://www.kerio.

22.11 Security Log279Example[17/Jul/2008 11:46:38] Anti-Spoofing:Packet from LAN, proto:TCP, len:48,ip/port:61.173.81.166:1864 -> 195.39.55.10:445,

Chapter 3 WinRoute Administration28The following chapters of this document address individual sections of the AdministrationConsole, the module which

Chapter 22 Logs280administration interface, WebAdmin SSL = secure web administration interface,Proxy = proxy server user authentication)• <IP addre

22.14 Web Log281• 3000-3999 — warning from individual WinRoute modules (e.g. DHCP server, anti-viruscheck, user authentication, etc.)• 4000-4999 — lic

Chapter 22 Logs282Note: If the page title cannot be identified (i.e. for its content is compressed), the"Encoded content" will be reported.•

283Chapter 23Kerio VPNWinRoute enables secure interconnection of remote private networks using an encrypted tun-nel and it provides clients secure acc

Chapter 23 Kerio VPN284• No special user accounts must be created for VPN clients. User accounts in WinRoute(or domain accounts if the Active Director

23.1 VPN Server Configuration285Figure 23.2 VPN server settings — basic parametersThe action will be applied upon clicking the Apply button in the Inte

Chapter 23 Kerio VPN286later).2. Regarding two VPN tunnels, it is also examined when establishing a connectionwhether the VPN subnet does not collide

23.1 VPN Server Configuration287Figure 23.4 VPN server settings — specification of DNS servers for VPN clientsIf the DNS module is already used as a DNS

Chapter 23 Kerio VPN288WINS configuration for VPN clientsThe WINS service is used for resolution of hostnames to IP addresses within Microsoft Windowsn

23.2 Configuration of VPN clients289Figure 23.6 VPN server settings — server port and routes for VPN clientsCustom RoutesOther networks to which a VPN

3.1 Administration Console - the main window29• The left column contains the tree view of sections. The individual sections of thetree can be expanded

Chapter 23 Kerio VPN290Note: Remote VPN clients connecting toWinRoute are included toward the number of personsusing the license (see chapters 4 and 4

23.3 Interconnection of two private networks via the Internet (VPN tunnel)29123.3 Interconnection of two private networks via the Internet (VPN tunnel

Chapter 23 Kerio VPN292Name of the tunnelEach VPN tunnel must have a unique name. This name will be used in the table of inter-faces, in traffic rules (

23.3 Interconnection of two private networks via the Internet (VPN tunnel)293Figure 23.9 VPN tunnel — certificate fingerprintsDNS SettingsDNS must be se

Chapter 23 Kerio VPN294Figure 23.10 VPN tunnel’s routing configurationConnection establishmentActive endpoints automatically attempt to recover connect

23.3 Interconnection of two private networks via the Internet (VPN tunnel)295Note: VPN tunnels keeps their connection (by sending special packets in r

Chapter 23 Kerio VPN2962. Traffic rules set by this method allow full IP communication between the local network,remote network and all VPN clients. For

23.5 Example of Kerio VPN configuration: company with a filial office297Routes provided automaticallyUnless any custom routes are defined, the following ru

Chapter 23 Kerio VPN298The server (default gateway) of the headquarters uses the public IP address 63.55.21.12 (DNSname is newyork.company.com), the s

23.5 Example of Kerio VPN configuration: company with a filial office299Common methodThe following actions must be taken in both local networks (i.e. in t

3Contents1 Quick Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 3 WinRoute Administration30for authentication of the firewall when connecting to the administration fromanother host (see Kerio Administration

Chapter 23 Kerio VPN3006. In traffic rules, allow traffic between the local network, remote network and VPN clientsand set desirable access restrictions.

23.5 Example of Kerio VPN configuration: company with a filial office301In step 5, select Create rules for Kerio VPN server. Status of the Create rules fo

Chapter 23 Kerio VPN302Figure 23.17 Headquarter — DNS forwarding settings• Set the IP address of this interface (10.1.1.1) as a primary DNS server for

23.5 Example of Kerio VPN configuration: company with a filial office303• Set the IP address 10.1.1.1 as a primary DNS server also for the other hosts.Not

Chapter 23 Kerio VPN3045. Create a passive end of the VPN tunnel (the server of the branch office uses a dynamic IPaddress). Specify the remote endpoint

23.5 Example of Kerio VPN configuration: company with a filial office305Figure 23.21 Headquarter — final traffic rulesRules defined this way meet all the rest

Chapter 23 Kerio VPN306In this case, it would be meaningless to create rules for the Kerio VPN server and/or theKerio Clientless SSL-VPN, since the se

23.5 Example of Kerio VPN configuration: company with a filial office307Figure 23.25 Filial office — DNS forwarding settingsFigure 23.26 Filial office — TCP/I

Chapter 23 Kerio VPN308certificate provided by a certification authority is available).Note: A free subnet which has been selected is now specified autom

23.5 Example of Kerio VPN configuration: company with a filial office309Figure 23.28 Filial office — definition of VPN tunnel for the headquartersFigure 23.2

3.2 Administration Console - view preferences31Note: After a connection failure, the Web Administration interface is redirected and opened atthe login

Chapter 23 Kerio VPN310VPN testConfiguration of the VPN tunnel has been completed by now. At this point, it is recommendedto test availability of the r

23.6 Example of a more complex Kerio VPN configuration311The headquarters uses the DNS domain company.com, filials use subdomainssantaclara.company.com

Chapter 23 Kerio VPN312To provide correct forwarding of DNS requests from a WinRoute host, it is necessary touse an IP address of a network device bel

23.6 Example of a more complex Kerio VPN configuration313The following sections provide detailed description of the Kerio VPN configuration both forthe

Chapter 23 Kerio VPN314This step will create rules for connection of the VPN server as well as for communicationof VPN clients with the local network

23.6 Example of a more complex Kerio VPN configuration315Figure 23.35 Headquarter — TCP/IP configuration ata firewall’s interface connected to the local

Chapter 23 Kerio VPN3164. Enable the VPN server and configure its SSL certificate (create a self-signed certificate if nocertificate provided by a certific

23.6 Example of a more complex Kerio VPN configuration3175. Create a passive endpoint of the VPN tunnel connected to the London filial. Use the fin-gerpr

Chapter 23 Kerio VPN318Figure 23.38 The headquarters — routing configuration for the tunnel connected to the London filialWarningIn case that the VPN co

23.6 Example of a more complex Kerio VPN configuration3196. Use the same method to create a passive endpoint for the tunnel connected to the Parisfilial

32Chapter 4Product Registration and LicensingWhen purchased, Kerio WinRoute Firewall must be registered, Upon registration of the product,so called li

Chapter 23 Kerio VPN320Figure 23.40 The headquarters — routing configuration for the tunnel connected to the Paris filialFigure 23.41 Headquarter — final

23.6 Example of a more complex Kerio VPN configuration321Configuration of the London filial1. Install WinRoute (version 6.1.0 or higher) at the default g

Chapter 23 Kerio VPN322This step will create rules for connection of the VPN server as well as for communicationof VPN clients with the local network

23.6 Example of a more complex Kerio VPN configuration323Figure 23.46 The London filial office — VPN server configurationFor a detailed description on the

Chapter 23 Kerio VPN324branch office server.Figure 23.47 The London filial office — definition of VPN tunnel for the headquarters

23.6 Example of a more complex Kerio VPN configuration325Figure 23.48 The London filial — routing configuration for the tunnel connected to the headquart

Chapter 23 Kerio VPN3266. Create a passive endpoint of the VPN tunnel connected to the Paris filial. Use the finger-print of the VPN server of the Paris

23.6 Example of a more complex Kerio VPN configuration327Figure 23.50 The London filial — routing configurationfor the tunnel connected to the Paris bran

Chapter 23 Kerio VPN328Configuration of the Paris filial1. Install WinRoute (version 6.1.0 or higher) at the default gateway of the filial’s network.2. U

23.6 Example of a more complex Kerio VPN configuration3293. Customize DNS configuration as follows:• In the WinRoute’s DNS module configuration, enable D

4.2 License information33cannot be updated. The time for updates can be extended by purchasing a sub-scription.• product expiration date — specifies th

Chapter 23 Kerio VPN330Figure 23.55 The Paris filial office — VPN server configuration

23.6 Example of a more complex Kerio VPN configuration3315. Create an active endpoint of the VPN tunnel which will connect to the headquarters server(n

Chapter 23 Kerio VPN332Paris branch office server.Figure 23.57 The Paris filial — routing configuration for the tunnel connected to the headquarters

23.6 Example of a more complex Kerio VPN configuration3336. Create an active endpoint of the tunnel connected to London (servergw-london.company.com).

Chapter 23 Kerio VPN334Figure 23.59 The Paris filial — routing configurationfor the tunnel connected to the London branch officeFigure 23.60 The Paris fili

335Chapter 24Kerio Clientless SSL-VPN (Windows)Kerio Clientless SSL-VPN (thereinafter “SSL-VPN”) is a special interface used for secured remoteaccess

Chapter 24 Kerio Clientless SSL-VPN (Windows)336SSL-VPN interface configurationThe SSL-VPN interface can be enabled/disabled on the Web Interface → SSL

24.2 Usage of the SSL-VPN interface337Allowing access from the InternetAccess to the SSL-VPN interface from the Internet must be allowed by defining a

338Chapter 25Specific settings and troubleshootingThis chapter provides description of advanced features and specific configurations of the fire-wall. It

25.2 Configuration files33925.2 Configuration filesThis chapter provides clear descriptions of WinRoute configuration and status files. This infor-mation ca

Chapter 4 Product Registration and Licensing34Figure 4.1 Administration Console welcome page providing license informationProductname of the product (

Chapter 25 Specific settings and troubleshooting340Status filesIn addition, WinRoute generates other files and directories where certain status informati

25.3 Automatic user authentication using NTLM341General conditionsThe following conditions are applied to this authentication method:1. WinRoute Firew

Chapter 25 Specific settings and troubleshooting342The configuration of the WinRoute’s web interface must include a valid DNS name of the serveron which

25.4 FTP on WinRoute’s proxy server343NTLM authentication arise, it is recommended to remove all usernames/passwords forthe server where WinRoute is i

Chapter 25 Specific settings and troubleshooting344Terminal FTP clients (such as the ftp command in Windows or Linux) do not allow config-uration of the

25.4 FTP on WinRoute’s proxy server345Figure 25.3 Configuring proxy server in Internet Explorer 6.0HintTo configure web browsers, you can use a configura

Chapter 25 Specific settings and troubleshooting346Figure 25.4 Setting proxy server for FTP in Total CommanderHintThe defined proxy server is indexed an

25.5 Internet links dialed on demand347If WinRoute receives a packet from the local network, it will compare it with the system routingtable. If the p

Chapter 25 Specific settings and troubleshooting348from the local host to the Internet, the packet will be dropped by the operating systembefore the Wi

25.5 Internet links dialed on demand3495. The Proxy server in WinRoute (see chapter 8.4) also provides direct dial-up connections.A special page provi

4.3 Registration of the product in the Administration Console35Number of usersMaximal number of hosts (unique IP addresses) that can be connected to t

Chapter 25 Specific settings and troubleshooting350All DNS names missing a suitable rule will be dialed automatically by the DNS module whendemanded.In

351Chapter 26Technical supportFree email and telephone technical support is provided for Kerio WinRoute Firewall. Contactsand more information can be

Chapter 26 Technical support352as kerio_support_info.txt.Note: The kerio_support_info.txt is generated by the Administration Console. This impliesthat

353Appendix ALegal NoticesMicrosoft, Windows, Windows NT, Windows Vista, Internet Explorer, ActiveX, and ActiveDirectoryare registered trademar

354Appendix BUsed open source itemsKerio WinRoute Firewall contains the following open-source software (open source):bindlibCopyright 1983, 1993 The

355KVNET — driverKerio Virtual Network Interface driver for Linux (driver for the Kerio VPN virtual networkadapter)Copyright  Kerio Technologies s.r.

Appendix B Used open source items356PHPCopyright  1999-2006 The PHP Group. All rights reserved.This product includes PHP software available for free

357Glossary of termsActiveXThis Microsoft’s proprietary technology is used for creation of dynamic objects for webpages. This technology provides many

Glossary of terms358DMZDMZ (demilitarized zone) is a reserved network area where services available both fromthe Internet and from the LAN are run (e.

359IdentThe Ident protocol is used for identification of user who established certain TCP connec-tion from a particular (multi-user) system. TheIdent s

Chapter 4 Product Registration and Licensing36Registration of the trial versionBy registrating the trial version, users get free email and telephonic

Glossary of terms360will be redirected to this host. Packets that do not match with any record in theNAT table will be dropped.• destination address t

361Ports 1-1023 are reserved and used by well known services (e.g. 80 = WWW). Ports above1023 can be freely used by any application.PPTPMicrosoft’s pr

Glossary of terms362Routing tableThe information used by routers when making packet forwarding decisions (so calledroutes). Packets are routed accordi

363• RST (Reset) — request on termination of a current connection and on initiationof a new one• URG (Urgent) — urgent packet• PSH (Push) — request on

364IndexAActive Directory 196domain mapping 204import of user accounts 203mapping of other domains 208administration 27remote 18, 215Administration Co

365local domain 107dynamic DNS 119FFTP 147, 186, 343filtering rules 162full cone NAT 87Ggroupsinterface throughput charts 47IP address 180of forbidden

Index366Mmedia hairpinning 102multihoming 93NNAT 84, 90full cone NAT 87, 101NT domainimport of user accounts 203NTLM 138, 139configuration of web brows

367traffic policy 71created by wizard 75default rule 77definition 78exceptions 95Internet access limiting 94wizard 71transparent proxy 124Trial ID 37TTL

368

4.3 Registration of the product in the Administration Console37Figure 4.3 Trial version registration — user informationFigure 4.4 Trial version regist

Chapter 4 Product Registration and Licensing38Figure 4.5 Registration of the trial version — summaryFigure 4.6 Trial version registration — Trial IDAt

4.3 Registration of the product in the Administration Console39Registration of the purchased productFollow the Register product with a purchased licen

47.5 Policy routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 957.6 User a

Chapter 4 Product Registration and Licensing40Figure 4.8 Product registration — license numbersof additional components, add-ons and subscription

4.3 Registration of the product in the Administration Console41Figure 4.9 Product registration — user information4. Page four includes optional inform

Chapter 4 Product Registration and Licensing42Figure 4.10 Product registration — other informationFigure 4.11 Product registration — summary1. The lic

4.4 Product registration at the website43work connection, etc.), simply restart the wizard and repeat the registration.4.4 Product registration at the

Chapter 4 Product Registration and Licensing44Administrators are informed in two ways:• By a pop-up bubble tip (this function is featured by the WinRo

4.6 User counter454.6 User counterThis chapter provides a detailed description on how WinRoute checks whether number oflicensed users has not been exc

Chapter 4 Product Registration and Licensing46License releaseIdleness time (i.e. time for which no packet with a corresponding IP address meeting allc

47Chapter 5Network interfacesWinRoute is a network firewall. This implies that it represents a gateway between two or morenetworks (typically between t

Chapter 5 Network interfaces48change of a network adapter etc., there is no need to edit traffic rules — simple adding of thenew interface in the correc

49you do not consider RAS clients as parts of trustworthy networks for any reason, you canmove the Dial-In interface to Other interfaces.Note:1. If bo

515 User Accounts and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19015.1 Viewing and

Chapter 5 Network interfaces50DNSIP address of the primary DNS server set on the interface.MACHardware (MAC) address of a corresponding network adapte

51In WinRoute, it is specify to specify a special name for each interface (names taken fromthe operating system can be confusing and the new name may

Chapter 5 Network interfaces52Adding new interface (Software Appliance / VMware Virtual Appliance)In the Software Appliance / VMware Virtual Appliance

53Chapter 6Internet ConnectionThe basic function of WinRoute is connection of the local network to the Internet via one ormore Internet connections (I

Chapter 6 Internet Connection54This involves selection of the Internet connection type in the Configuration → Interfaces sec-tion of the WinRoute config

6.1 Persistent connection with a single link55Figure 6.1 Traffic Policy Wizard — persistent connection with a single linkFigure 6.2 Network Policy Wizar

Chapter 6 Internet Connection56Resulting interface configurationWhen you finish set-up in Traffic Policy Wizard, the resulting configuration can be viewedu

6.2 Connection with a single leased link - dial on demand576.2 Connection with a single leased link - dial on demandIf the WinRoute host is connected

Chapter 6 Internet Connection58Figure 6.4 Traffic Policy Wizard — dial on demandFigure 6.5 Network Policy Wizard — selection of an interface for the Int

6.2 Connection with a single leased link - dial on demand59Figure 6.6 Configuration of interfaces — an on-demand dial linkThe Internet interfaces group

622.9 Filter Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27622.10

Chapter 6 Internet Connection60Figure 6.7 Interface properties — dialing settingsefficient to keep the link up persistently even in times with dense net

6.2 Connection with a single leased link - dial on demand61connection is recovered automatically.• If the connection is set to be hung-up at the momen

Chapter 6 Internet Connection62WarningWinRoute is running in the operating system as a service. Therefore, external applica-tions and operating system

6.3 Connection Failover63WarningConnection failover is relevant only if performed by a persistent connection (i.e. the primaryconnection uses a networ

Chapter 6 Internet Connection64Figure 6.10 Traffic Policy Wizard — failover of a leased link by a dial-upResulting interface configurationWhen you finish

6.3 Connection Failover65The Internet interfaces group includes the Internet and the Dial-up link selected as primary andsecondary (failover) on the t

Chapter 6 Internet Connection66Note:1. Probe hosts must not block ICMP Echo Requests (PING) since such requests are used to testavailability of these

6.4 Network Load Balancing67Both the primary and the secondary link may be configured automatically by the DHCP proto-col. In that case, WinRoute looks

Chapter 6 Internet Connection68On the third page of the wizard, add all links (one by one) which you intend to use for trafficload balancing.In the Soft

6.4 Network Load Balancing69Resulting interface configurationWhen you finish set-up in Traffic Policy Wizard, the resulting configuration can be viewedunde

7Chapter 1Quick ChecklistIn this chapter you can find a brief guide for a quick setup of Kerio WinRoute Firewall (referredto as “WinRoute” within this

Chapter 6 Internet Connection70Advanced settings (optimization, dedicated links, etc.)In basic configuration, network load balancing is applied automat

71Chapter 7Traffic PolicyTraffic Policy belongs to of the basic WinRoute configuration. All the following settings aredisplayed and can be edited within th

Chapter 7 Traffic Policy72Figure 7.1 Traffic Policy Wizard — introductionSteps 2 and 3— internet connection settingsOn the second page of the wizard, sele

7.1 Network Rules Wizard73Figure 7.2 Network Policy Wizard — enabling access to Internet servicesAllow access to the following services onlyOnly selec

Chapter 7 Traffic Policy74Figure 7.3 Network Policy Wizard — Kerio VPNStep 6 — specification of servers that will be available within the local networkIf

7.1 Network Rules Wizard75Figure 7.5 Network Policy Wizard — mapping of the local serviceNote: Access to the Internet through WinRoute must be defined

Chapter 7 Traffic Policy76Figure 7.7 Traffic Policy generated by the wizardFTP Service and HTTP ServiceThese rules map all HTTP and HTTPS services running

7.1 Network Rules Wizard77NATThis rule sets that in all packets routed from the local network to the Internet, the source(private) IP address will be

Chapter 7 Traffic Policy787.2 How traffic rules workThe traffic policy consists of rules ordered by their priority. When the rules are applied, theyare proc

7.3 Definition of Custom Traffic Rules79The background color of each row with this rule can be defined as well. Use the Transparentoption to make the back

Chapter 1 Quick Checklist89. Select an antivirus and define types of objects that will be scanned.If you choose the integrated McAfee antivirus applica

Chapter 7 Traffic Policy80WarningIf either the source or the destination computer is specified by DNS name, WinRoutetries to identify its IP address whil

7.3 Definition of Custom Traffic Rules81Figure 7.11 Traffic rule — VPN clients / VPNtunnel in the source/destination address definitiontunnel The All option

Chapter 7 Traffic Policy82Note:1. If you require authentication for any rule, it is necessary to ensure that a rule ex-ists to allow users to connect to

7.3 Definition of Custom Traffic Rules83Figure 7.13 Traffic rule — setting a serviceUse the Remove button to remove all items defined (the Nothing value wil

Chapter 7 Traffic Policy84Figure 7.14 Traffic rule — selecting an actionTranslationSource or/and destination IP address translation.Source IP address tran

7.3 Definition of Custom Traffic Rules85Figure 7.15 Traffic rule — NAT — automatic IP address selectionload balancing dividing the traffic among individual l

Chapter 7 Traffic Policy86Figure 7.16 Traffic rule — NAT — NAT with specific interface (its IP address)failure. If set as suggested, WinRoute will behave l

7.3 Definition of Custom Traffic Rules87Full cone NATFor all NAT methods it is possible to set mode of allowing of incoming packets coming fromany addres

Chapter 7 Traffic Policy88Destination NAT (port mapping):Destination address translation (also called port mapping) is used to allow access to servicesh

7.3 Definition of Custom Traffic Rules89Figure 7.19 Traffic rule — packet/connection loggingNote: Connection cannot be logged for blocking and dropping rul

9Chapter 2Introduction2.1 What’s new in 6.7.1In version 6.7.1, WinRoute brings the following new features:Kerio WinRoute Firewall Software Appliance /

Chapter 7 Traffic Policy90• Default — all necessary protocol inspectors (or inspectors of the services listed in theService entry) will be applied on tr

7.4 Basic Traffic Rule Types91DestinationThe Internet interfaces group. With this group, the rule is usable for any type of Internetconnection (see chap

Chapter 7 Traffic Policy92Figure 7.23 Traffic rule that makes the local web server available from the InternetSourceMapped services can be accessed by cli

7.4 Basic Traffic Rule Types93dropped. Therefore, it is recommended to put all rules for mapped services at the top ofthe table of traffic rules.Note: If

Chapter 7 Traffic Policy94Limiting Internet AccessSometimes, it is helpful to limit users access to the Internet services from the local network.Access

7.5 Policy routing95Alternatively you can define the rule to allow only authenticated users to access specificservices. Any user that has a user account

Chapter 7 Traffic Policy96marginal traffic (web browsing, online radio channels, etc.). To meet this crucial requirementof an enterprise data traffic, it is

7.5 Policy routing97Figure 7.31 Policy routing — setting NAT for a reserved linkFigure 7.32 Policy routing — a link reserved for a specific serverNote:

Chapter 7 Traffic Policy98IP address will be used). To any other services, load balancing per connection will be applied— thus maximally efficient use of

7.7 Partial Retirement of Protocol Inspector99counting reasons — see chapter 4.6). However, this NAT rule blocks any connection unlessthe user is auth