Kerio Tech Firewall6 User Manual

Administrator’s GuideKerio Technologies

10Chapter 2Introduction2.1 Kerio WinRoute FirewallKerio WinRoute Firewall 6.0 is a complex tool for connection of the local network to theInternet and

Chapter 6 Traffic Policy1001. If you require authentication for any rule, it is necessary to ensure that a ruleexists to allow users to connect to the fi

6.3 Definition of Custom Traffic Rules101Figure 6.16 Traffic rule — setting a serviceUse the Any button to replace all defined items with the Any item (this

Chapter 6 Traffic Policy102Figure 6.17 Traffic rule — selecting an action• Permit — traffic will be allowed by the firewall• Deny — client will be informed t

6.3 Definition of Custom Traffic Rules103• Log matching packets — all packets matching with rule (permitted, denied ordropped, according to the rule defin

Chapter 6 Traffic Policy104know DNS name of your host, use the Resolve button to translate the DNS name to IPaddress.Warning: The IP address must be ass

6.3 Definition of Custom Traffic Rules105Valid onTime interval within which the rule will be valid. Apart from this interval WinRouteignores the rule.The

Chapter 6 Traffic Policy106Note: Use the Default option for the Protocol Inspector item if a particular service (seethe Service item) is used in the rul

6.4 Basic Traffic Rule Types107TranslationIn the Source NAT section select the Translate to IP address of outgoing interfaceoption (the primary IP addre

Chapter 6 Traffic Policy108SourceInterface connected to the Internet (requests from the Internet will arrive on thisinterface).DestinationThe WinRoute h

6.4 Basic Traffic Rule Types109MultihomingMultihoming is a term used for situations when one network interface connected tothe Internet uses multiple pu

2.1 Kerio WinRoute Firewall11Protocol Maintenance (Protocol Inspectors)You may come across applications that do not support the standard communi-catio

Chapter 6 Traffic Policy110as all traffic that would not meet these requirements will be blocked by the default "catchall" rule.Other methods of

6.4 Basic Traffic Rule Types111Alternatively you can define the rule to allow only authenticated users to accessspecific services. Any user that has a use

Chapter 6 Traffic Policy112

113Chapter 7Bandwidth LimiterThe main problem of shared Internet connection is when one or more users downloador upload big volume of data and occupy

Chapter 7 Bandwidth Limiter1147.2 Bandwidth Limiter configurationThe Bandwidth Limiter parameters can be set under Configuration → Bandwidth Limiter.Fig

7.2 Bandwidth Limiter configuration115Tests have discovered that the optimal usage of the Internet line capacity is reachedif the value is set to appro

Chapter 7 Bandwidth Limiter116Figure 7.2 Bandwidth Limiter — network services• Apply to all services — the limits will be applied to all traffic between

7.2 Bandwidth Limiter configuration117Figure 7.3 Bandwidth Limiter — selection of network servicesFigure 7.4 Bandwidth Limiter — IP Addresses and Time

Chapter 7 Bandwidth Limiter118group. The other traffic will not be limited.• Apply to all except the selected address group — the bandwidth limiter will

7.3 Detection of connections with large data volume transferred119data volumes in longer intervals. Large data volume transfers typically uses the met

Chapter 2 Introduction12Antivirus controlWinRoute can perform antivirus check of transmitted files. For this purpose, eitherthe built-in McAfee antivir

Chapter 7 Bandwidth Limiter1203. The connection shown at figure 7.8 transfers 100 KB of data before a 6 sec idlenessinterval. For this reason, the coun

121Chapter 8User AuthenticationWinRoute allows administrators to monitor connections (packet, connection, Web pagesor FTP objects and command filtering

Chapter 8 User Authentication122traffic coming from the particular host is detected, WinRoute assumes that it is cur-rently used by the particular user

8.1 Firewall User Authentication123Redirection to the authentication pageIf the Always require users to be authenticated when accessing web pages opti

Chapter 8 User Authentication124method is not available for other operating systems.For details, refer to chapter 23.3.Automatically logout users when

125Chapter 9Web InterfaceWinRoute contains a special Web server that can be used for several purposes, suchas an interface for user authentication and

Chapter 9 Web Interface126Figure 9.1 Configuration of WinRoute’s Web InterfaceEnable secured Web Interface (HTTPS)Use this option to open the secured v

9.1 Web Interface Parameters Configuration127Advanced parameters for the Web interface can be set upon clicking on the Advancedbutton.Configuration of p

Chapter 9 Web Interface128SSL Certificate for the Web InterfaceThe principle of an encrypted WinRoute Web interface is based on the fact that all com-m

9.1 Web Interface Parameters Configuration129Figure 9.3 SSL certificate of WinRoute’s Web interfaceFigure 9.4 Creating a new “self-signed” certificate fo

2.2 Conflicting software13Clientless SSL-VPNThe role of the VPN solution which requires a special application at the clientside can be supplied by remo

Chapter 9 Web Interface130of your server is guaranteed by it. Clients will be warned only about the fact that thecertificate was not issued by a trustw

9.2 Login/logout page131Figure 9.5 Login page of the firewall’s Web interface• User from the local database — the name must be specified without the dom

Chapter 9 Web Interface132(see chapter 9.3).Log outOnce finished with activities where authentication is required, it is recommended to logout of the fi

9.3 Status information and user statistics133Authenticated user connecting to the web interface can continue their work in the inter-face after enteri

Chapter 9 Web Interface134Figure 9.8 Current web restrictions and rulesTo learn more details about restriction rules for accessing Web pages refer to

9.4 User preferences135Figure 9.9 Customized Web objects filteringThis option will block the window.open() method in JavaScript.• Cross-domain referrer

Chapter 9 Web Interface136Figure 9.10 Editing user password

137Chapter 10HTTP and FTP filteringWinRoute provides a wide range of features to filter traffic using HTTP and FTP protocols.These protocols are the most

Chapter 10 HTTP and FTP filtering138Note: WinRoute provides only tools for filtering and access limitations. Decisions onwhich websites and files will be

10.2 URL Rules139Figure 10.1 URL Rulesand block access to other web pages, a rule denying access to any URL must be placedat the end of the rule list.

Chapter 2 Introduction14• 1900/UDP — SSDP Discovery service• 2869/TCP — UPnP Host serviceThe SSDP Discovery and UPnP Host services are included in the

Chapter 10 HTTP and FTP filtering140Note: The default WinRoute installation includes several predefined URL rules. Theserules are disabled by default. T

10.2 URL Rules141Open the General tab to set general rules and actions to be taken.DescriptionDescription of the rule (information for the administrat

Chapter 10 HTTP and FTP filtering142Warning: If access to servers specified by IP addresses is not denied, users canbypass URL rules where servers are s

10.2 URL Rules143Valid at time intervalSelection of the time interval during which the rule will be valid (apart from thisinterval the rule will be ig

Chapter 10 HTTP and FTP filtering144Open the Content Rules tab (in the HTTP Rules section) to specify details for contentfilter rules. Parameters on thi

10.2 URL Rules145HTTP Inspection Advanced OptionsClick on the Advanced button in the HTTP Policy tab to open a dialog where parametersfor the HTTP ins

Chapter 10 HTTP and FTP filtering14610.3 Global rules for Web elementsIn WinRoute you can also block certain features contained in HTML pages. Typical

10.4 Content Rating System (ISS OrangeWeb Filter)147Allow HTML JavaScript pop-up windowsAutomatic opening of new browser windows — usually pop-up wind

Chapter 10 HTTP and FTP filtering148Upon startup of the WinRoute Engine, access to the database server is checked (thisprocess is called activation). T

10.4 Content Rating System (ISS OrangeWeb Filter)149Enable ISS OrangeWeb Filteruse this option to enable/disable the ISS OrangeWeb Filter module for c

2.3 Installation152.3 InstallationSystem requirementsRequirements on minimal hardware parameters of the host where WinRoute will be in-stalled:• CPU 1

Chapter 10 HTTP and FTP filtering150the following rule has been defined in the URL Rules tab in Configuration → ContentFiltering → HTTP Rules:Figure 10.8

10.5 Web content filtering by word occurrence151Figure 10.9 ISS OrangeWeb Filter categoriesNotes:1. Use the Check button to check all items included in

Chapter 10 HTTP and FTP filtering152Warning: Definition of forbidden words and treshold value is ineffective unless corre-sponding URL rules are set!Defin

10.5 Web content filtering by word occurrence153On the Content Rules tab, check the Deny Web pages containing... option to enablefiltering by word occur

Chapter 10 HTTP and FTP filtering154Figure 10.12 Groups of forbidden wordspage). If the total weight of the tested page exceeds this limit, access to t

10.6 FTP Policy155GroupSelection of a group to which the word will be included. You can also add a newname to create a new group.KeywordForbidden word

Chapter 10 HTTP and FTP filtering156If undesirable, this rule can be disabled. This is not recommended as it might jeopar-dize scanning reliability. Ho

10.6 FTP Policy157Figure 10.15 FTP Rule — basic parametersWarning: Rules are disabled unless a corresponding IP address is found!• IP address from gro

Chapter 10 HTTP and FTP filtering158(see chapter 20.9).Go to the Advanced tab to define other conditions that must be met for the rule to beapplied and

10.6 FTP Policy159If any of these options is chosen, you can specify names of files on which therule will be applied using the File name entry. Wildcar

Chapter 2 Introduction16We recommend you to check through the following items before you run WinRoute in-stallation:• Time of the operating system sho

160Chapter 11Antivirus controlWinRoute provides antivirus check of objects (files) transmitted by HTTP, FTP, SMTP andPOP3 protocols. In case of HTTP an

11.1 Conditions and limitations of antivirus scan161(see chapter 12.3). This implies that the antivirus check is limited by the followingfactors:• Ant

Chapter 11 Antivirus control16211.2 How to choose and setup antivirusesTo select antiviruses and set their parameters, open the Antivirus tab in Config

11.2 How to choose and setup antiviruses163Check for update every ... hoursTime interval of checks for new updates of the virus database and the antiv

Chapter 11 Antivirus control164External antivirusFor external antivirus, enable the Use external antivirus option in the Antivirus tab andselect an an

11.2 How to choose and setup antiviruses165We strongly discourage administrators from changing the default value for file size limit.In any case, do no

Chapter 11 Antivirus control166in WinRoute. To achieve this, disable antivirus check for SMTP protocol or definea corresponding traffic rule where no pro

11.3 HTTP and FTP scanning167Figure 11.7 Settings for HTTP and FTP scanningInfected files (files which are suspected of being infected) are saved into t

Chapter 11 Antivirus control168sponding user account (see chapter 13.1) and the SMTP server used for mail sendingis configured correctly (refer to chap

11.3 HTTP and FTP scanning169Figure 11.8 Definition of an HTTP/FTP scanning rule— this option filters out certain filenames (not entire URLs) transmitted

2.3 Installation17Figure 2.1 Custom installation — selecting optional componentsFigure 2.2 Installation — verifying compatibility of the low-level dri

Chapter 11 Antivirus control170type must be added to the end of the list (the Skip all other files rule is predefined forthis purpose).11.4 Email scanni

11.4 Email scanning171Figure 11.9 Settings for SMTP and POP3 scanningIn the Specify an action which will be taken with attachments... section, the fol

Chapter 11 Antivirus control172Note: Regardless of what action is set to be taken, the attachment is always removed anda warning message is attached i

173Chapter 12Definitions12.1 IP Address GroupsIP groups are used for simple access to certain services (e.g. WinRoute’s remote adminis-tration, Web ser

Chapter 12 Definitions174Figure 12.2 IP group definitionNameThe name of the group. Add a new name to create a new group. Insert the groupname to add a n

12.2 Time Intervals175Using time ranges you can also set dial-up parameters — see chapter 5.1.To define time ranges go to Configuration → Definitions → T

Chapter 12 Definitions176Figure 12.4 Time range definitionTime Interval TypeTime range type: Daily, Weekly or Absolute. The last type refers to the user

12.3 Services17712.3 ServicesWinRoute services enable the administrator to define communication rules easily (by per-mitting or denying access to the I

Chapter 12 Definitions178Figure 12.6 Network service definitionProtocolThe communication protocol used by the service.Most standard services uses the TC

12.3 Services179Source Port and Destination PortIf the TCP or UDP communication protocol is used, the service is defined with itsport number. In case o

Chapter 2 Introduction18the operating system).However, the drivers provided within the WinRoute installation package have beentested on all supported

Chapter 12 Definitions180can only be used in passive mode. The FTP protocol inspector distinguishes thatthe FTP is active, opens the appropriate port a

12.4 URL Groups181Figure 12.9 URL GroupsMatching fields next to names can be either checked to activate or unchecked to disable.This way you can deacti

Chapter 12 Definitions182GroupName of the group to which the URL will be added. This option enables the admin-istrator to:• select a group to which the

183Chapter 13User Accounts and GroupsUser accounts in WinRoute improve control of user access to the Internet from the localnetwork. User accounts can

Chapter 13 User Accounts and Groups184Note: This type of cooperation with Active Directory applies especially to olderversions of WinRoute and makes t

13.1 Viewing and definitions of user accounts185DomainUse the Domain option to select a domain for which user accounts as well as otherparameters will

Chapter 13 User Accounts and Groups186local accounts. For detailed information about import of user accounts, refer tochapter 13.3.Import of accounts

13.2 Local user accounts187tion any longer. Under these conditions, a local user account (Admin with a blankpassword) will be created automatically up

Chapter 13 User Accounts and Groups188Figure 13.3 Creating a user account — basic parametersEmail AddressEmail address of the user that alerts (see ch

13.2 Local user accounts189the domain (see chapter 13.1) or they can be set especially for the correspondingaccount.Using a template is suitable for c

2.3 Installation19Conflicting Applications and System ServicesThe WinRoute installation program detects applications and system services that mightconfl

Chapter 13 User Accounts and Groups190Figure 13.4 Creating a new user account — groupsStep 3 — access rightsFigure 13.5 Creating a new user account —

13.2 Local user accounts191Each user must be assigned one of the following three levels of access rights.No access to administrationThe user has no ri

Chapter 13 User Accounts and Groups192HINT: Access rights can also be defined by a user account template.Step 4 — data transmission quotaFigure 13.6 Cr

13.2 Local user accounts193Quota exceed actionSet actions which will be taken whenever a quota is exceeded:• Block any further traffic — the user will b

Chapter 13 User Accounts and Groups194Figure 13.7 Creating a new user account — Web site content rulesmade. Users who are not allowed to override rule

13.3 Local user database: external authentication and import of accounts195If a user works at a reserved workstation (i.e. this computer is not by any

Chapter 13 User Accounts and Groups196Figure 13.9 Setting domains for authentication of local accountsActive DirectoryUse the Enable Active Directory

13.3 Local user database: external authentication and import of accounts197Automatic import of user accounts from Active DirectoryIf Active Directory

Chapter 13 User Accounts and Groups198Note: It is not possible to combine the automatic import with Active Directory domainmapping (see chapter 13.4)

13.4 Active Directory domains mapping199Figure 13.12 Import of accounts from Active Directory13.4 Active Directory domains mappingIn WinRoute, it is p

 Kerio Technologies. All Rights Reserved.Release Date: March 14, 2007This guide provides detailed description on the Kerio WinRoute Firewall, version

Chapter 2 Introduction20Figure 2.3 Disabling colliding system services during installationin the warning log. This helps assure that the service will

Chapter 13 User Accounts and Groups200If the DNS server itself is set in the operating system, the domain controller ofthe Active Directory must be th

13.4 Active Directory domains mapping201Figure 13.13 Active Directory domain mappingFigure 13.14 Advanced settings for access to the Active Directory•

Chapter 13 User Accounts and Groups202able increases reliability of the connection and eliminates problems in caseswhen a domain controller fails. The

13.4 Active Directory domains mapping203One domain is always set as primary. In this domain, all user accounts where the domainis not specified, will b

Chapter 13 User Accounts and Groups204The following operations will be performed automatically within each conversion:• substitution of any appearance

13.5 User groups205Figure 13.17 WinRoute user groupsSearchThe Search engine can be used to filter out user groups meeting specified criteria.The searchi

Chapter 13 User Accounts and Groups206NameGroup name (group identification).DescriptionGroup description. It has an informative purpose only and may co

13.5 User groups207Figure 13.20 Creating a user group — members’ user rightsAdditional rights:Users can override WWW content rulesUser belonging to th

Chapter 13 User Accounts and Groups208Users are allowed to use P2P networksThe P2P Eliminator module (detection and blocking of Peer-to-Peer networks

209Chapter 14Remote Administration and Update Checks14.1 Setting Remote AdministrationRemote administration can be either permitted or denied by defini

2.5 WinRoute Engine Monitor21Note: WinRoute Firewall Engine is independent on the WinRoute Engine Monitor.The Engine can be running even if there is n

Chapter 14 Remote Administration and Update Checks210HINT: The same method can be used to enable or disable remote administration of KerioMailServer t

14.2 Update Checking211Check for new versionsUse this option to enable/disable automatic checks for new versions. Checks areperformed:• 2 minutes afte

Chapter 14 Remote Administration and Update Checks212Figure 14.3 Administration Console’s welcome page informing that a new version is available

213Chapter 15Advanced security features15.1 P2P EliminatorPeer-to-Peer (P2P) networks are world-wide distributed systems, where each node canrepresent

Chapter 15 Advanced security features214Figure 15.1 Detection settings and P2P EliminatorAs implied by the previous description, it is not possible to

15.1 P2P Eliminator215If traffic of P2P network clients is not blocked, it is possible to set bandwidth limitationfor P2P networks at the bottom of the

Chapter 15 Advanced security features216• P2P network port(s) — list of ports which are exclusively used by P2P networks. Theseports are usually ports

15.2 Special Security Settings217Anti-SpoofingAnti-Spoofing checks whether only packets with allowed source IP addresses are receivedat individual inter

Chapter 15 Advanced security features21815.3 VPN using IPSec ProtocolIPsec (IP Security Protocol) is an extended IP protocol which enables secure data

15.3 VPN using IPSec Protocol219WinRoute’s IPSec configurationGenerally, communication through IPSec must be permitted by firewall policy (for detailsre

Chapter 2 Introduction22Start-up PreferencesWith these options WinRoute Engine and/or WinRoute Engine Monitor applicationscan be set to be launched au

Chapter 15 Advanced security features220The Translation column must be blank — no IP translation is performed. The pass-through setting is not importa

15.3 VPN using IPSec Protocol221IPSec server in local networkAn IPSec server on a host in the local network or on the WinRoute host must be mappedfrom

222Chapter 16Other settings16.1 Routing tableUsing Administration Console you can view or edit the system routing table of the hostwhere WinRoute is r

16.1 Routing table223Route TypesThe following route types are used in the WinRoute routing table:• System routes — routes downloaded from the operatin

Chapter 16 Other settings224Definitions of Dynamic and Static RulesClick on the Add (or Edit when a particular route is selected) button to display a d

16.2 Demand Dial225If this option is not enabled, the route will be valid only until the operating systemis restarted or until removed manually in the

Chapter 16 Other settings226Second, there must be no default gateway in the operating system (no default gatewaymust be defined for any network adapter

16.2 Demand Dial227Technical Peculiarities and LimitationsDemand dialing has its peculiarities and limitations. The limitations should be consid-ered

Chapter 16 Other settings228is performed according to special types of DNS requests. Microsoft DNS server doesnot support automatic dialing. Moreover,

16.2 Demand Dial229Figure 16.3 Demand dial rules (for responses to DNS queries)In this section you can create a rule list of DNS names.Either whole DN

2.6 Upgrade and Uninstallation23UninstallationTo uninstall WinRoute, stop all three WinRoute components. The Add/Remove Pro-grams option in the Contro

Chapter 16 Other settings23016.3 Universal Plug-and-Play (UPnP)WinRoute supports UPnP protocol (Universal Plug-and-Play). This protocol enables client

16.4 Relay SMTP server231UPnP also enables the application to open ports for a requested period. Here thePort mapping timeout parameter also represent

Chapter 16 Other settings232Figure 16.6 SMTP settings — reports sendingServerName or IP address of the server.Note: If available, we recommend you to

16.4 Relay SMTP server233Warning:1. If SMTP is specified by a DNS name, it cannot be used until WinRoute resolves a cor-responding IP address (by a DNS

234Chapter 17Status InformationWinRoute activities can be well monitored by the administrator (or by other users withappropriate rights). There are th

17.1 Active hosts and connected users235Figure 17.1 List of active hosts and users connected to the firewallThe following information can be found in t

Chapter 17 Status Information236Start timeDate and time when the host was first acknowledged by WinRoute. This informationis kept in the operating syst

17.1 Active hosts and connected users237Figure 17.2 Context menu for the Active Hosts windowRefreshThis option refreshes information in the Active Hos

Chapter 17 Status Information238Figure 17.3 Information about selected host/user — actions overviewFigure 17.4 Host info (if no user is connected from

17.1 Active hosts and connected users239Activity DescriptionDetailed information on a particular activity:• WWW — title of a Web page to which the use

Chapter 2 Introduction24Upgrade from WinRoute Pro 4.xTo import your configuration used in WinRoute Pro 4.x to the Kerio WinRoute Firewall6.x, follow th

Chapter 17 Status Information240Information about connections:Traffic ruleName of the WinRoute traffic rule (see chapter 6) by which the connection was al

17.1 Active hosts and connected users241HistogramThe Histogram tab provides information on data volume transferred from and to theselected host in a s

Chapter 17 Status Information24217.2 Show connections related to the selected processIn Status → Connections, all the network connections which can be

17.2 Show connections related to the selected process243One connection is represented by each line of the Connections window. These are net-work conne

Chapter 17 Status Information244Options of the Connections DialogThe following options are available below the list of connections:• Hide local connec

17.2 Show connections related to the selected process245Manage ColumnsBy choosing this option you can select which columns will be displayed in the Co

Chapter 17 Status Information246Note: Incoming and outgoing connections are distinguished by detection of direc-tion of IP addresses — “out” (SNAT) or

17.3 Alerts247Figure 17.11 Alert DefinitionsalertType of the event upon which the alert will be sent:• Virus detected — antivirus engine has detected a

Chapter 17 Status Information248was switched to a secondary line, or vice versa (it was switched back to theprimary line). For details, refer to chapt

17.3 Alerts249Templates are stored in the templates subdirectory of the installation directory ofWinRouteC:\Program Files\Kerio\WinRoute Firewall\temp

2.7 Configuration Wizard25Figure 2.7 Initial configuration — Setting of administration username and passwordRemote AccessImmediately after the first WinR

Chapter 17 Status Information250Each line provides information on one alert:• Date — date and time of the event,• Alert — event type,• Details — basic

251Chapter 18Basic statisticsStatistical information about users (volume of transmitted data, used services, catego-rization of web pages) as well as

Chapter 18 Basic statistics252Optionally, other columns providing information on volume of data transmitted in indi-vidual time periods in both direct

18.1 Interface statistics253Auto refreshSettings for automatic refreshing of the information on the Interface Statistics tab.Information can be refres

Chapter 18 Basic statistics254The period (2 hours or 1 day) can be selected in the Time interval box. The selected timerange is always understood as t

18.2 User Statistics — data volumes and quotas255Figure 18.4 User statisticsNotes:1. Optionally, other columns providing information on volume of data

Chapter 18 Basic statistics256Reset user statisticsThis option resets statistics of the selected user.Warning: Be aware that using this option for the

257Chapter 19Kerio StaR — statistics and reportingThe WinRoute’s web interface provides detailed statistics on users, volume of transferreddata, visit

Chapter 19 Kerio StaR — statistics and reporting258Note: Data in the database used for statistics cannot be removed manually (such actionwould be mean

19.2 Settings for statistics and quota259Figure 19.1 Statistics and transferred data quota settingsEnable/disable gathering of statistic dataThe Gathe

Chapter 2 Introduction26Figure 2.8 Initial configuration — Allowing remote administrationWarning: The remote access rule is disabled automatically when

Chapter 19 Kerio StaR — statistics and reporting260Figure 19.2 Kerio StaR advanced optionsThe Show user names in statistics by... option enables selec

19.3 Connection to StaR and viewing statistics261Statistics and quota accounting periodsAccounting period is a time period within which information of

Chapter 19 Kerio StaR — statistics and reporting262Note: URL for this link consists of the name of the server and of the port of thesecured Web interf

19.4 Accounting period263• Users by Traffic — table and chart for volumes of data transferred by individual users.• Visited Sites — overview of the ten

Chapter 19 Kerio StaR — statistics and reporting264Select an item in the Period length combo box (day, week, month). Further options aredisplayed depe

19.5 Overall View26519.5 Overall ViewThe Overall tab provides overall statistics for all users within the local network (includ-ing anonymous, i.e. un

Chapter 19 Kerio StaR — statistics and reporting266Figure 19.7 Chart of top visited web domainscannot be precise, though the approximation is very goo

19.5 Overall View267Figure 19.9 Top 5 users statistics2. Firewall is a special user account including data transferred from and to theWinRoute host. H

Chapter 19 Kerio StaR — statistics and reporting268Figure 19.10 Parts of individual protocols in the total volume of transferred data• E-mail — SMTP,

19.6 User statistics269Figure 19.11 Selection of a new time period for website statistics19.6 User statisticsThe Individual tab allows showing of stat

27Chapter 3WinRoute AdministrationAll Kerio products including WinRoute are administered through the Kerio Administra-tion Console application(an appl

Chapter 19 Kerio StaR — statistics and reporting270• top requested web categories,• used protocols and their part in the total volume of transferred d

19.8 Top Visited Websites27119.8 Top Visited WebsitesThe Visited Sites tab includes statistics for the top ten most frequently visited web do-mains. T

Chapter 19 Kerio StaR — statistics and reporting272Figure 19.15 Top active users for the particular domainTIP: The way of users’ names are displayed i

19.9 Top Requested Web Categories273Figure 19.16 Top visited websites sorted by categoriesThe right section of the tab provides detailed statistics fo

Chapter 19 Kerio StaR — statistics and reporting274• The header provides name of the category and total number of requests to websitesbelonging to the

275Chapter 20LogsLogs are files where history of certain events performed through or detected by WinRouteare recorded and kept. Each log is displayed i

Chapter 20 Logs276Figure 20.1 Log settingsFile LoggingUse the File Loggingtab to define file name and rotation parameters.Enable logging to fileUse this

20.1 Log settings277Figure 20.2 File logging settingsSyslog LoggingParameters for logging to a Syslog can be defined in the External Logging tab.Figure

Chapter 20 Logs278Enable Syslog loggingEnable/disable logging to a Syslog server.If this option is disabled, none of the following parameters and sett

20.2 Logs Context Menu279The Save log option opens a dialog box where the following optional parameterscan be set:Figure 20.5 Saving a log to a file• T

Chapter 3 WinRoute Administration28Figure 3.1 The main window of Administration Console for WinRouteAdministration Window — Main menuThe main menu pro

Chapter 20 Logs280EncodingCoding that will be used for the log printout in Administration Console can be se-lected in this section. UTF-8 is used by d

20.2 Logs Context Menu281Figure 20.6 Log highlighting settingsFigure 20.7 Highlighting rule definitionNote: Regular expression is such expression which

Chapter 20 Logs282The Debug log advanced settingsSpecial options are available in the Debug log context menu. These options are availableonly to users

20.3 Alert Log283Figure 20.9 Selection of information monitored by the Debug logClientless SSL-VPN , etc.20.3 Alert LogThe Alert log provides a comple

Chapter 20 Logs28420.4 Config LogThe Config log stores a complete communication history between Administration Con-sole and the WinRoute Firewall Engine

20.5 Connection Log285• insert StaticRoutes ... — the particular command used to modify theWinRoute’s configuration database (in this case, a static ro

Chapter 20 Logs286• [Rule] NAT — name of the traffic rule which has been used (a rule by which thetraffic was allowed or denied).• [Service] HTTP — name o

20.7 Dial Log287[15/Mar/2004 15:09:27] Line "Connection" dialing,console 127.0.0.1 - Admin[15/Mar/2004 15:09:39] Line "Connection"

Chapter 20 Logs288The first log item is recorded upon reception of a DNS request (the DNS forwarderhas not found requested DNS record in its cache). Th

20.8 Error Log28920.8 Error LogThe Error log displays information about serious errors that affect the functionalityof the entire firewall. WinRoute adm

3.1 Administration Window29Status barThe status bar at the bottom of the administration window displays the following infor-mation (from left to right

Chapter 20 Logs290• 8400-8499 — dial-up error (unable to read defined dial-up connections, line configu-ration error, etc.)• 8500-8599 — LDAP errors (se

20.10 Http log291Example of a traffic rule log message:[16/Apr/2003 10:51:00] PERMIT ’Local traffic’ packet to LAN,proto:TCP, len:47, ip/port:195.39.55.

Chapter 20 Logs292Notes:1. Only accesses to allowed pages are recorded in the HTTP log. Request that wereblocked by HTTP rules are logged to the Filte

20.11 Security Log293• 192.168.64.64 — IP address of the client (i.e. of the host from which the client isconnected to the website)• TCP_MISS — the TC

Chapter 20 Logs294• flags: — TCP flags• seq: — sequence number of the packet (TCP only)• ack: — acknowledgement sequence number (TCP only)• win: — size

20.12 Sslvpn Log295a) Engine Startup:[17/Dec/2004 12:11:33] Engine: Startup.b) Engine Shutdown:[17/Dec/2004 12:22:43] Engine: Shutdown.20.12 Sslvpn Lo

Chapter 20 Logs296[15/Apr/2004 15:00:51] (3004) Authentication subsystem warning:Kerberos 5 auth: user [email protected] not authenticated[15/Apr/2004

20.14 Web Log297Note: If the page title cannot be identified (i.e. for its content is compressed), the"Encoded content" will be reported• htt

298Chapter 21Kerio VPNWinRoute enables secure interconnection of remote private networks using an encryptedtunnel and it provides clients secure acces

21.1 VPN Server Configuration299• No collisions arise while encrypted channels through the firewall are being created.It is supposed that one or multipl

3Contents1 Quick Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 In

Chapter 3 WinRoute Administration30After you remove the cause of the connection failure, the connection can be restored.If the reconnection attempt fa

Chapter 21 Kerio VPN300GeneralFigure 21.2 VPN server settings — basic parametersEnable VPN serverUse this option to enable /disable VPN server. VPN se

21.1 VPN Server Configuration301upon saving of the settings (by clicking Apply in the Interfaces tab). In such cases,redefine the VPN subnet.Figure 21.3

Chapter 21 Kerio VPN302VPN server — it is not necessary to apply for a new certificate.DNSFigure 21.4 VPN server settings — specification of DNS servers

21.1 VPN Server Configuration303Figure 21.5 VPN server settings — server port and routes for VPN clientsNotes:1. If the VPN server is already running,

Chapter 21 Kerio VPN304HINT: Use the 255.255.255.255 network mask to define a route to a certain host.This can be helpful for example when a route to a

21.3 Interconnection of two private networks via the Internet (VPN tunnel)305If the rules are set like this, all VPN clients can access local networks

Chapter 21 Kerio VPN306Figure 21.7 VPN tunnel configurationConfigurationSelection of a mode for the local end of the tunnel:• Active — this side of the

21.3 Interconnection of two private networks via the Internet (VPN tunnel)307the tunnel).• Passive — this end of the tunnel will only listen for an in

Chapter 21 Kerio VPN308DNS SettingsDNS must be set properly at both sends of the tunnel so that it is possible to connectto hosts in the remote networ

21.3 Interconnection of two private networks via the Internet (VPN tunnel)309Figure 21.9 VPN tunnel’s routing configurationConnection establishmentActi

3.2 View Settings31Note: The width of individual columns can be adjusted by moving the dividing linebetween the column headers.

Chapter 21 Kerio VPN310VPN tunnels can be disabled by the Disable button. Both endpoints should be disabledwhile the tunnel is being disabled.Note: VP

21.4 Exchange of routing information311Figure 21.11 Common traffic rules for VPN tunnel21.4 Exchange of routing informationAn automatic exchange of rout

Chapter 21 Kerio VPN312sions, custom routes are used as prior. This option easily solves the problem wherea remote endpoint provides one or more inval

21.5 Example of Kerio VPN configuration: company with a filial office31321.5 Example of Kerio VPN configuration: company with a filial officeThis chapter prov

Chapter 21 Kerio VPN3144. No restrictions are applied for connections from the headquarters to the branchoffice network.5. LAN 2 is not available to the

21.5 Example of Kerio VPN configuration: company with a filial office315For detailed description of basic configuration of WinRoute and of the local networ

Chapter 21 Kerio VPN316If a remote host is tested through IP address and it does not respond, check config-uration of the traffic rules or/and find out wh

21.5 Example of Kerio VPN configuration: company with a filial office317In step 5, select Create rules for Kerio VPN server. Status of the Create rules fo

Chapter 21 Kerio VPN318Figure 21.16 Headquarter — DNS forwarder configuration• Enable the Use custom forwarding option and define rules for names in the

21.5 Example of Kerio VPN configuration: company with a filial office319Figure 21.18 Headquarter — TCP/IP configurationat a firewall’s interface connected t

32Chapter 4Product Registration and LicensingWhen purchased, Kerio WinRoute Firewall must be registered. WinRoute must be reg-istered at Kerio Technol

Chapter 21 Kerio VPN320Figure 21.19 Headquarters — VPN server configuration

21.5 Example of Kerio VPN configuration: company with a filial office3215. Create a passive end of the VPN tunnel (the server of the branch office uses a dy

Chapter 21 Kerio VPN322Figure 21.21 Headquarter — final traffic rules• Create the Branch office rule which will allow connections to services in LAN 1.• Ad

21.5 Example of Kerio VPN configuration: company with a filial office323Figure 21.22 Filial — no restrictions are applied to accessing the Internet from t

Chapter 21 Kerio VPN324When the VPN tunnel is created, customize these rules according to the restrictionrequirements (Step 6).3. Customize DNS configu

21.5 Example of Kerio VPN configuration: company with a filial office325• Set the IP address of this interface (192.168.1.1) as a primary DNS server forth

Chapter 21 Kerio VPN326Figure 21.28 Filial office — VPN server configurationFor a detailed description on the VPN server configuration, refer to chapter 2

21.5 Example of Kerio VPN configuration: company with a filial office327Figure 21.29 Filial office — definition of VPN tunnel for the headquartersFigure 21.3

Chapter 21 Kerio VPN328Note: It is not necessary to perform any other customization of traffic rules. Therequired restrictions should be already set in

21.6 Example of a more complex Kerio VPN configuration329SpecificationThe network follows the pattern shown in figure 21.31.Figure 21.31 Example of a VPN

4.1 License types and number of users33• update right expiration date — specifies the date by which WinRoute can beupdated for free. When this date exp

Chapter 21 Kerio VPN330Note: For each installation of WinRoute, a separate license for corresponding numberof users is required! For details see chapt

21.6 Example of a more complex Kerio VPN configuration331If the remote endpoint of the tunnel has already been defined, check whether thetunnel was crea

Chapter 21 Kerio VPN332Figure 21.32 Headquarters — no restrictions areapplied to accessing the Internet from the LANFigure 21.33 Headquarter — creatin

21.6 Example of a more complex Kerio VPN configuration3333. Customize DNS configuration as follows:• In configuration of the DNS Forwarder in WinRoute, s

Chapter 21 Kerio VPN334• Set the IP address of this interface (10.1.1.1) as a primary DNS server for theWinRoute host’s interface connected to the LAN

21.6 Example of a more complex Kerio VPN configuration3354. Enable the VPN server and configure its SSL certificate (create a self-signed certificateif no

Chapter 21 Kerio VPN3365. Create a passive endpoint of the VPN tunnel connected to the London filial. Usethe fingerprint of the VPN server of the London

21.6 Example of a more complex Kerio VPN configuration337the London filial whereas the tunnel between the headquarters and the Paris officestays waste.Fig

Chapter 21 Kerio VPN3386. Use the same method to create a passive endpoint for the tunnel connected to theParis filial.Figure 21.41 The headquarters —

21.6 Example of a more complex Kerio VPN configuration339Figure 21.42 The headquarters — routingconfiguration for the tunnel connected to the Paris filia

Chapter 4 Product Registration and Licensing344.2 License informationThe license information can be displayed by selecting Kerio WinRoute Firewall (th

Chapter 21 Kerio VPN340Configuration of the London filial1. Install WinRoute (version 6.1.0 or higher) at the default gateway of the filial’s net-work.2.

21.6 Example of a more complex Kerio VPN configuration341This step will create rules for connection of the VPN server as well as for communi-cation of

Chapter 21 Kerio VPN342Figure 21.48 The London filial office — DNS forwarding settings4. Enable the VPN server and configure its SSL certificate (create a

21.6 Example of a more complex Kerio VPN configuration343For a detailed description on the VPN server configuration, refer to chapter 21.1.5. Create an

Chapter 21 Kerio VPN344On the Advanced tab, select the Use custom routes only option and set routes toheadquarters’ local networks.Figure 21.51 The Lo

21.6 Example of a more complex Kerio VPN configuration3456. Create a passive endpoint of the VPN tunnel connected to the Paris filial. Use the fin-gerpri

Chapter 21 Kerio VPN346Figure 21.53 The London filial — routing configurationfor the tunnel connected to the Paris branch officeFigure 21.54 The London fil

21.6 Example of a more complex Kerio VPN configuration347Configuration of the Paris filial1. Install WinRoute (version 6.1.0 or higher) at the default ga

Chapter 21 Kerio VPN3483. Customize DNS configuration as follows:• In configuration of the DNS Forwarder in WinRoute, specify DNS servers to whichDNS qu

21.6 Example of a more complex Kerio VPN configuration349• Set the IP address of this interface (172.16.1.1) as a primary DNS server forthe WinRoute ho

4.2 License information35License IDLicense number or a special license name.Subscription expiration dateDate until when the product can be upgraded fo

Chapter 21 Kerio VPN3505. Create an active endpoint of the VPN tunnel which will connect to the headquar-ters server (newyork.company.com). Use the fin

21.6 Example of a more complex Kerio VPN configuration351of the remote server — in our example, the ping gw-sanfrancisco.company.comcommand can be used

Chapter 21 Kerio VPN3526. Create an active endpoint of the tunnel connected to London (servergw-london.company.com). Use the fingerprint of the VPN ser

21.6 Example of a more complex Kerio VPN configuration353On the Advanced tab, select the Use custom routes only option and set routes toLondon’s local

Chapter 21 Kerio VPN354VPN testThe VPN configuration has been completed by now. At this point, it is recommended totest reachability of the remote host

355Chapter 22Kerio Clientless SSL-VPNKerio Clientless SSL-VPN (thereinafter “SSL-VPN ”) is a special interface used for securedremote access to shared

Chapter 22 Kerio Clientless SSL-VPN356Click Advanced to open a dialog where port and SSL certificate for SSL-VPN can be set.Figure 22.2 Setting of TCP

22.2 Usage of the SSL-VPN interface357Note: If the port for SSL-VPN interface is changed, it is also necessary to modify theService item in this rule!

Chapter 22 Kerio Clientless SSL-VPN358counts authenticated only in WinRoute (Internal user database authentication) cannotbe used to access SSL-VPN .

22.2 Usage of the SSL-VPN interface359At the top of the page, an entry is available, where location of the demanded shared item(so called UNC path) ca

Chapter 4 Product Registration and Licensing36Figure 4.2 The Administration Console’s welcome page pop-up menu• Copy license number to clipboard — cop

360Chapter 23TroubleshootingThis chapter provides several helpful tips for solving of problems which might ariseduring WinRoute deployment.23.1 Detect

23.2 Configuration Backup and Transfer361Once configuration of network interfaces is corrected, it is not necessary to restart thecomputer or WinRoute F

Chapter 23 Troubleshooting362For details on traffic between the WinRoute Firewall Engine and the Ad-ministration Console, refer to Kerio Administration

23.2 Configuration Backup and Transfer363Directories:logsThe logs directory stores all WinRoute logs (see chapter 20).starThe star directory includes a

Chapter 23 Troubleshooting364a unique (randomly generated) identifier in the operating system. It is almost notpossible that two identifiers were identi

23.3 Automatic user authentication using NTLM365<variable name="Name">LAN</variable>...</listitem>9. Save the winroute.cfg

Chapter 23 Troubleshooting366WinRoute ConfigurationNTLM authentication of users from web browsers must be enabled in Users → Authenti-cation Options. U

23.3 Automatic user authentication using NTLM367The configuration of the WinRoute’s web interface must include a valid DNS name of theserver on which W

Chapter 23 Troubleshooting368Explorer sends saved login data instead of NTLM authentication of the user cur-rently logged in. Should any problems rega

23.4 Partial Retirement of Protocol Inspector36923.4 Partial Retirement of Protocol InspectorUnder certain circumstances, appliance of a protocol insp

4.3 Registration of the product in the Administration Console37Figure 4.3 Trial version registration — security codeFigure 4.4 Trial version registrat

Chapter 23 Troubleshooting3702. In the Configuration → Traffic Policy section, create a rule which will permit thisservice traffic between the local networ

23.5 User accounts and groups in traffic rules371Such a rule enables the specified users to connect to the Internet (if authenticated).However, these use

Chapter 23 Troubleshooting372Note: In this example, it is assumed that client hosts use the WinRoute DNS Forwarder orlocal DNS server (traffic must be a

23.6 FTP on WinRoute’s proxy server373server is 3128 (for details, refer to chapter 5.5). It is also recommended to enablethe Bypass proxy server for

Chapter 23 Troubleshooting374Figure 23.12 Setting proxy server for FTP in Total CommanderHINT: The defined proxy server is indexed and saved to the lis

375Chapter 24Network Load BalancingCertain versions of the Microsoft Windows operating system allow creation of so calledcluster — a group of hosts wh

Chapter 24 Network Load Balancing376Figure 24.1 Network configuration for Network Load Balancing1. Three IP addresses must be reserved when assigning I

24.3 Configuration of the servers in the cluster3776. Set 192.168.1.1 (IP address of the cluster) as the IP address at default gateway forcomputers in

Chapter 24 Network Load Balancing378Figure 24.2 Server 1 — cluster parametersFigure 24.3 Server 1 — host parameters

24.3 Configuration of the servers in the cluster379NLB configuration for Server2The configuration is almost the same in the case of Server1. However, IP

Chapter 4 Product Registration and Licensing38Figure 4.5 Trial version registration — other information4. The fourth page provides the information sum

380Chapter 25Technical supportFree email and telephone technical support is provided for Kerio WinRoute Firewall. Forcontacts, see the end of this cha

25.2 Tested in Beta version381Informational FileYou can use the Administration Console to create a text file including your WinRouteconfiguration data.

Chapter 25 Technical support382For details on beta versions and their testing, refer to the http://www.kerio.com/betaweb page.25.3 ContactsKerio Techn

383Appendix ALegal PresumptionMicrosoftR, WindowsR, Windows NTR, Internet ExplorerRand Active DirectoryRare registered trademarks of Microsoft Co

384Appendix BUsed open-source librariesKerio WinRoute Firewall contains the following open-source libraries:IBPPCopyright 2000-2006 T.I.P. Group S.A.

385PrototypeCopyright 2005 Sam Stephenson.Homepage: http://prototype.conio.net/zlibCopyright 1995-2005 Jean-Loup Gailly and Mark Adler.Homepage: htt

386Glossary of termsActiveXThis Microsoft’s proprietary technology is used for creation of dynamic objectsfor Web pages. This technology provides many

387DNSDNS (Domain Name System) A worldwide distributed database of Internet host-names and their associated IP address. Computers use Domain Name Serv

Glossary of terms388IP addressIP address is a unique 32-bit number used to identify the host in the Internet.It is specified by numbers of the decimal

389The NAT technology enables connection from local networks to the Internet usinga single IP address. All hosts within the local network can access t

4.3 Registration of the product in the Administration Console395. The last page of the wizard provides user’s Trial ID. This is ID is a unique code us

Glossary of terms390the Internet. This implies that IP ranges for local networks cannot collide withIP addresses used in the Internet.The following IP

391SpamUndesirable email message, usually containing advertisments.SpoofingSpoofing means using false IP addresses in packets. This method is used by at

Glossary of terms392TCP/IPName used for all traffic protocols used in the Internet (i.e. for IP, ICMP, TCP, UDP,etc.). TCP/IP does not stand for any par

393IndexAActive Directory 189, 196automatic import of accounts 197domain mapping 199import of user accounts 198multiple domains mapping 202administrat

Index394DNSDNS Forwarder 60forwarding rules 62hosts file 64, 65local domain 65FFTPfiltering rules 155, 137, 179, 372GgroupsIP address 173of forbidden wo

395web 296Mmultihoming 109NNAT 92, 103, 106NLBconfiguration 375, 375NT domainimport of user accounts 198, 196NTLMconfiguration of web browsers 368deploy

Index396settings 258, 251top requested web categories 272top visited websites 271user groups 254volume of transferred data 270status informationactive

397user preferences 134user statistics 133, 125WindowsInternet Connection Sharing 19security center 20Windows Firewall 19WinRoute Engine Monitor 20, 2

47 Bandwidth Limiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1137.1 How the bandwidt

Chapter 4 Product Registration and Licensing40Figure 4.8 Product registration — license number of the basic product and the security code

4.3 Registration of the product in the Administration Console41Figure 4.9 Product registration — license numbers ofadditional components, add-ons and

Chapter 4 Product Registration and Licensing42Figure 4.10 Product registration — user informationFigure 4.11 Product registration — other information

4.3 Registration of the product in the Administration Console435. The last page provides the information summary. If any information is incorrect,use

Chapter 4 Product Registration and Licensing444.4 Product registration at the websiteIf, by any reason, registration of WinRoute cannot be performed f

4.5 Subscription / Update Expiration45Administrators are informed in two ways:• By a pop-up bubble tip (this function is featured by the WinRoute Engi

Chapter 4 Product Registration and Licensing46Figure 4.14 The notice informing about upcoming subscription expirationFigure 4.15 The notice that the s

4.6 User counter47Start WinRouteUpon WinRoute is started, the table of clients include the firewall only. Number of usedlicenses is zero.Note: Table of

Chapter 4 Product Registration and Licensing48License releaseIdleness time (i.e. time for which no packet with a corresponding IP address meeting allc

49Chapter 5Settings for Interfaces and Network Services5.1 Network interfacesWinRoute functions as a router for all WinRoute’s network interfaces inst

514 Remote Administration and Update Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20914.1 Setting Remote Administration . . . . . .

Chapter 5 Settings for Interfaces and Network Services50Adapter infoAdapter identification string returned by the device driver.IDA unique identifier of

5.1 Network interfaces51• If a network adapter, a Dial-in interface or a VPN server is selected, these buttonsare inactive.RefreshUse this button to r

Chapter 5 Settings for Interfaces and Network Services52Figure 5.2 Interface type selectionFigure 5.3 Dial-ups — basic parametersBind this interface..

5.1 Network interfaces53Interface nameUnique name that will identify the line within WinRoute.In the Dialing Settings tab you can specify the details

Chapter 5 Settings for Interfaces and Network Services54ConnectionConnection type that can be used for dialing:• Manual — the line can only be dialed

5.1 Network interfaces55• The On demand dial enabled option is processed with the lowest priority. Ifthe always option is selected, on-demand dial wil

Chapter 5 Settings for Interfaces and Network Services56Windows Task Manager. Under specific circumstances, such application might alsoblock other dial

5.2 Connection Failover57Figure 5.7 Traffic policy for primary and alternative Internet connectionsNotes:1. Traffic rules must be defined by the moment whe

Chapter 5 Settings for Interfaces and Network Services58Figure 5.8 Configuration of primary and secondary Internet connectionNotes:1. Connection failov

5.2 Connection Failover59Primary connectionParameters of the primary Internet connection. The connection can be defined asfollows:• network interface w

620.7 Dial Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28620.8 Error Log .

Chapter 5 Settings for Interfaces and Network Services60For these reasons we recommend you to set dial-up parameters as follows:• for the primary conn

5.3 DNS Forwarder61Figure 5.9 DNS forwarder settingsEnable DNS forwardingThis option switches between the on/off modes of the DNS Forwarder (the servic

Chapter 5 Settings for Interfaces and Network Services62they are considered primary, secondary, etc.). This option should be used whenthere is the nee

5.3 DNS Forwarder63Figure 5.10 Specific settings of DNS forwardingDNS server can be specified for:• DNS name — queries requiring names of computers will

Chapter 5 Settings for Interfaces and Network Services64Figure 5.11 DNS forwarding — a new rule• Use the Reverse DNS query alternative to specify rule

5.3 DNS Forwarder65Before forwarding a query...These options allow setting of where the DNS Forwarder would search for the nameor IP address before th

Chapter 5 Settings for Interfaces and Network Services66domain to answer queries on fully qualified local DNS names (names including thedomain).The pro

5.4 DHCP server67Using DHCP brings two main benefits. First, the administration is much easier thanwith the other protocols as all settings may be done

Chapter 5 Settings for Interfaces and Network Services68In the Item column, you can find subnets where scopes of IP addresses are defined. TheIP subnet

5.4 DHCP server69AdvancedClick on this button to open a dialog with a complete list of advanced parameterssupported by DHCP (including the four mentio

7A Legal Presumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383B Used open-source l

Chapter 5 Settings for Interfaces and Network Services70First address, Last addressFirst and last address of the new scope.Note: If possible, we recom

5.4 DHCP server71ParametersIn the Address Scope dialog, basic DHCP parameters of the addresses assigned toclients can be defined:• Default Gateway — IP

Chapter 5 Settings for Interfaces and Network Services72Figure 5.17 DHCP server — DHCP settingsFigure 5.18 DHCP server — statistics (leased and free I

5.4 DHCP server73Figure 5.19 DHCP server — reserving an IP addressor by dashes— for example:00-bc-a5-f2-1e-50The MAC address of a network adapter can

Chapter 5 Settings for Interfaces and Network Services74Figure 5.20 DHCP server — list of leased and reserved IP addressesColumns in this section cont

5.4 DHCP server75The following columns are hidden by default:• Last Request Time — date and time when the recent request for a lease or leaseextension

Chapter 5 Settings for Interfaces and Network Services76Figure 5.21 DHCP server — advanced optionscause exceeding of the number of licensed users (if

5.5 Proxy server77most common situations:1. To connect from the WinRoute host it is necessary to use the proxy server of yourISP.Proxy server included

Chapter 5 Settings for Interfaces and Network Services78Figure 5.22 HTTP proxy server settingsIf you are not sure that the port you intend to use is f

5.5 Proxy server79Forward to parent proxy serverTick this option for WinRoute to forward all queries to the parent proxy serverwhich will be specified

8Chapter 1Quick ChecklistIn this chapter you can find a brief guide for a quick setup of “Kerio WinRoute Fire-wall” (called briefly “WinRoute” in furthe

Chapter 5 Settings for Interfaces and Network Services80all local hosts by a single click.5.6 HTTP cacheUsing cache to access Web pages that are opene

5.6 HTTP cache81Figure 5.23 HTTP cache configurationCache sizeSize of the cache file on the disk. Maximal cache size allowed is 2 GB (2047 MB)Notes:1. I

Chapter 5 Settings for Interfaces and Network Services82Memory cache sizeMaximal memory cache size in the main storage. This cache is used especially

5.6 HTTP cache83Note: Clients can always require a check for updates from the Web server (regardless ofthe cache settings). Use a combination of the C

Chapter 5 Settings for Interfaces and Network Services84TTLTTL of objects matching with the particular URL.The 0 days, 0 hours option means that objec

5.6 HTTP cache85TIP: By clicking and dragging or by clicking and using the Ctrl or Shift key, it is possibleto select multiple objects.Figure 5.26 HTT

86Chapter 6Traffic PolicyTraffic Policy belongs to of the basic WinRoute configuration. All the following settingsare displayed and can be edited within th

6.1 Network Rules Wizard87Step 1 — informationFigure 6.1 Traffic Policy Wizard — introductionTo run successfully, the wizard requires the following para

Chapter 6 Traffic Policy88Step 3 — network adapter or dial-up selectionIf the network adapter is used to connect the host to the Internet, it can be sel

6.1 Network Rules Wizard89• Use login data from the RAS entry — username and password for authenticationat the remote server will be copied from a cor

97. Define IP groups (chapter 12.1), time ranges (chapter 12.2) and URL groups (chap-ter 12.4), that will be used during rules definition (refer to chap

Chapter 6 Traffic Policy90Allow access to the following services onlyOnly selected services will be available from the local network.Note: In this dialo

6.1 Network Rules Wizard91The dialog window that will open a new service can be activated with the Add button.Figure 6.7 Network Policy Wizard — enabl

Chapter 6 Traffic Policy92Step 7 — NATIf you only use one public IP address to connect your private local network to the In-ternet, run the NAT function

6.1 Network Rules Wizard93Figure 6.10 Network Rules Wizard — the last stepRules Created by the WizardThe traffic policy is better understood through the

Chapter 6 Traffic Policy94Figure 6.11 Traffic Policy generated by the wizardLocal TrafficThis rule enables all traffic between local hosts and the host where

6.1 Network Rules Wizard95This implies that, by default, the rule allows traffic between the local network (fire-wall), remote networks connected via VPN

Chapter 6 Traffic Policy966.2 How traffic rules workThe traffic policy consists of rules ordered by their priority. When the rules are appliedthey are proce

6.3 Definition of Custom Traffic Rules97Figure 6.12 Traffic rule — name, color and rule descriptionIf the description is specified, the “bubble” symbol is d

Chapter 6 Traffic Policy98A new source or destination item can be defined after clicking the Add button:• Host — the host IP address or name (e.g. 192.16

6.3 Definition of Custom Traffic Rules991. Incoming VPN connections (VPN clients) — all VPN clients connected to theWinRoute VPN server via the Kerio VPN