Kerio control disables the incoming channel. Kerio Control - comprehensive network security
Let's start setting up the security of our UTM gateway on the Kerio Control 7.4.1 platform
First of all, let's move on to setting up the IDS/IPS system and set the update schedule to 1 hour instead of the default 24 hours. The update does not “load” the device at all, but it significantly increases the chances of catching the malware.
Now let’s set the actions, for High severity “Log and delete”, for Medium “Log and delete”, for Low severity “Log”:
Such settings can significantly affect the “normal” operation of “problem” PCs, which is what we are about to hear through the Help Desk and see in the Security Magazine:
Well now go to the “Security Settings” section and allow access to the local network via MAC address only to the listed computers; for this purpose, we will prepare in advance a list of MAC addresses that are used in the organization.
When adding a new device to the network, we will add its MAC, this is inconvenient and therefore it is logical to entrust this to the Help Desk service. But in this case, they will have to allocate administrative rights to UTM, which is unacceptable because destroys any security :)
Someday Kerio will use RBAC in its products, but for now we will select a guest network for guests of the organization and will not filter by MAC there.
Go to the “Miscellaneous” subsection and increase the connection limit per host to 6000. This may be necessary for all sorts of applications such as client banks, etc.
Let’s also make sure that the anti-spoofing module is enabled and events are recorded in the log:
Let's move on to the "HTTP Policy" section and first of all, enable "Remove advertisement and banners", and for debugging purposes, enable logging of this rule.
Now, taking into account the possibility of leaking information through social networks, we will prohibit their use; to do this, we will create a new rule “Social”, select the action “Refuse”, enter the text “ According to the information security policy, the use of social networks is prohibited.", but since in our case this is not a ban, but rather a recommendation, we will enable the ability for users to unblock this rule.
As a URL, we will not list all sorts of http://vk.com and https://facebook.com, but will indicate a URL rated by the Kerio Control Web Filter rating system (and of course we will filter including https).
Our rule will be valid for all users, at any time, and events will be recorded in the Log.
In real conditions, it most often happens that a prohibiting rule is created for all users during working hours with the exception of lunch (i.e. in the morning, at lunch and after work, your favorite VKontakte will work).
And for the VIP group (which may include managers, top executives and other privileged employees) access will be denied at any time, but with the possibility of unlocking.
I will leave this Customer’s decision without comment, I’ll just show you what it looks like:
In a similar way, you can manage all Internet traffic very flexibly, because Kerio Web Filter is amazingly good.
I don’t use forbidden words, I leave the settings at default, but in the Kerio Control Web Filter settings I will allow users to report suspected errors, because all systems are imperfect in their own way, and Habr’s blocking “out of the box” is proof of this:
As for FTP filtering, users practically do not use it, so I will include only two standard rules and will not write my own until incidents occur:
Let's move on to the Antivirus settings. First of all, let's set the update schedule to one hour, because... practice suggests that signatures are updated more often than 8 hours.
Because Protecting email at the gateway level does not seem to me to be a very good idea, I will disable SMTP and POP3 scanning, I will also disable FTP because practice suggests that this protocol is used more often by administrators, and users have already successfully forgotten about it.
And on the “Email Scanning” tab. mail”, just in case, I will allow the transfer of attachments, even if they were somehow mistaken for malicious.
Of course, when it comes to security, monitoring is the most important condition, so we will configure Kerio Star according to your needs.
In order to reduce the administrative burden, we will set up exceptions for some traffic and for VIP employees, to whose traffic even system administrators should not have access:
In the “System Access” subsection, we will allow users access to their own statistics, and moreover, we will automatically send them these same statistics weekly.
For some responsible person (in this case, this person is me) it is possible to access and receive daily reports on the activities of all employees.
Also, the system administrator has the opportunity to receive notifications about the following system events:
Of course, for all these functions to work properly, Kerio Control must have an SMTP relay configured, and a valid email must be specified in each user’s profile.
In the Additional Options, in the “P2P Limiter” subsection, you can block torrets that are likely to be harmful on the corporate network.
In this case, the user will be notified by email (the administrator can also be notified by email) and blocked for 20 minutes.
UPD It is possible to disable Java, ActiveX, etc. both for individual users and for the entire organization:
And of course, regularly review all the magazines; I’ll tell you how to make this process convenient next time.
To correctly configure traffic distribution, you must select the type of Internet connection.
The most suitable one is configured for each local network. Constant access can be enabled; with this function, there is a constant connection to the Internet.
The second option may be to connect when necessary - the program itself will establish a connection when needed.
There are two connections; if the Internet connection is lost, Kerio Control will reconnect to another channel.
Having two or more Internet channels, you can choose the fourth type of connection. The load will be distributed evenly across all channels.
: User setup
It is necessary to configure user access parameters; basic configuration of the program is required. You need to specify and add network interfaces, select network services available to users. Don't forget to set up rules for VPN connections and rules for services running on your local network. To add users to the program, we recommend that you first divide them into groups. This function can be set in the “Users and Groups” tab.
In groups, you need to create access rights, for example, the ability to use VPN and view statistics.
There is a domain on the network, adding users is very easy. You need to enable the “Use Domain User Database” option in the “Users” menu. There is no domain on the network; users must be added manually, giving each a name, email address, login and description.
Setting up statistics in
Kerio Control showed Internet traffic statistics; users need to be authorized.
You need to monitor user statistics; enable the browser to automatically register each user.
The company has a small number of employees; it is possible to set up a permanent IP for each computer and associate each user with it.
: Content filtering - setting options
To configure the security system, you need to go from the “Configuration” tab to the “Content Filtering” settings. In the “Antivirus” section, you can configure the update of anti-virus databases and use the checkboxes to select the protocols that will be scanned.
To enable HTTP traffic scanning, go to the “HTTP Policy” tab. Activate the “black list” and add prohibited words to it. Using the landmarks you added, the system will immediately block all sites on which these expressions appear. To create a more flexible filtering system, create rules using the “URL Rules” subsection.
: Configure traffic rules
Traffic rules are configured through the “Configuration” section. Go to the “Traffic Policy” tab and select one of the three parameters that you want to configure. In the “Traffic Rules” section, you create rules that will be used to regulate user access to the Internet, content filtering, and connections from a remote office.
Give the rule a name. In the Source column, you can select Any Source, Trusted Source, or list specific sources. In the “Destination” column you need to indicate where the data will be sent, to a local network, VPN tunnel or the Internet. The “Services” item is intended to include in the list of all services and ports with the help of which a specific rule will be implemented.
Setting up load balancing
To control network traffic and rationally distribute it between the most important transmission channels, it is necessary to configure load balancing. Thus, Internet access for users is optimized. By distributing traffic on the most important connection channel for transmitting important data, there will always be uninterrupted Internet.
To assign the volume of network traffic, the program implements QoS support. You can create maximum throughput for a priority channel while stopping low priority traffic. It is possible to configure load balancing across multiple connections.
NAT: setting
Using the Kerio firewall, you can ensure a secure PC connection to your local network. Create Internet access for some employees in a remote office, without any action on their part. To do this, you will need to create a VPN connection on your local network from a remote office. Install and configure interfaces for connecting to the Internet. In the control panel, in the “Traffic Policy” tab, create a rule that allows local traffic.
Don't forget to indicate all the required objects in the source. You will also need to create a rule that will allow local users to access the Internet. You need to configure NAT, despite the created rules, Internet access will not be possible without enabling this function. In the “Traffic Policy” tab, select the “Broadcast” section and check the “Enable NAT source” checkbox. Specify the balancing path.
: setting up interfaces
The interfaces are configured immediately after installing the program. Having already activated the one that was purchased from and chosen the type of Internet connection, you can start setting up interfaces. Go to the “Interfaces” section on the management console. The program itself detects interfaces that are connected to the Internet and accessible. All names will be displayed in the form of a list.
If the load on the interfaces is distributed (selecting the type of Internet connection), you can add network interfaces in an unlimited number. The maximum possible load is set for each of them.
Video
Many people use the Kerio Control firewall. It has the widest functionality, reliability and ease of use. Today we’ll talk about how to set up bandwidth management rules. Simply put, let's try to limit the speed of Internet access for users and groups.
How to limit Internet speed for users and groups in Kerio Control
And so let’s go to the Kerio Control administration panel. On the left we look for the item Bandwidth Management. First, let's indicate the speed of your Internet connection. At the bottom, in the Internet connection bandwidth field, click change and enter the speed for downloading and uploading. This data is needed for the correct operation of Kerio Control itself.
Now add a new rule, click add and enter a name.
Next, in the Traffic field, you need to indicate for whom this restriction will apply. There are a lot of options, but we are interested in specific groups and users, so click on Users and groups. In the window that opens, select the required users or group. You can immediately select both the group and users.
Now set the download speed limit. We indicate how much of the total speed needs to be reserved for these groups and users and the limit itself. We indicate the same for the download item.
We leave the interface and available time as default and apply this rule.
Kerio Control falls into that category software, which combine a wide range of functionality with ease of implementation and operation. Today we will look at how this program can be used to organize group work among employees on the Internet, as well as reliably protect the local network from external threats.
belongs to the category of products in which a wide range of functionality is combined with ease of implementation and operation. Today we will look at how this program can be used to organize group work among employees on the Internet, as well as reliably protect the local network from external threats.
The implementation of the product begins with its installation on a computer that plays the role of an Internet gateway. This procedure is no different from installing any other software, and therefore we will not dwell on it. We only note that during this process some Windows services will be disabled that interfere with the program’s operation. After the installation is complete, you can proceed to configuring the system. This can be done either locally, directly on the Internet gateway, or remotely, from any computer connected to the corporate network.
First of all, we launch through the standard menu " Start"management console. It is used to configure the product in question. For convenience, you can create a connection that in the future will allow you to quickly connect to. To do this, double-click on the item" New connection", indicate in the window that opens the product (Kerio Control), the host on which it is installed, as well as the user name, and then click on the button " Save as" and enter the name of the connection. After this, you can establish a connection with. To do this, double-click on the created connection and enter your password.
Basic setup of Kerio Control
In principle, all operating parameters can be configured manually. However, for initial implementation it is much more convenient to use a special wizard that starts automatically. At its first step, you are asked to familiarize yourself with basic information about the system. There is also a reminder here that the computer running Kerio Control must be connected to the local network and have a working Internet connection.
The second stage is choosing the type of Internet connection. There are four options available here, from which you need to choose the most suitable one for your specific local network.
- Permanent access – the Internet gateway has a permanent connection to the Internet.
- Dial-on-demand - will independently establish an Internet connection as needed (if a RAS interface is available).
- Reconnect on failure – when the Internet connection is lost, it will automatically switch to another channel (two Internet connections are required).
- Channel load balancing - will simultaneously use several communication channels, distributing the load between them (two or more Internet connections are required).
In the third step, you need to specify the network interface or interfaces connected to the Internet. The program itself detects and displays all available interfaces in the form of a list. So the administrator can only choose the appropriate option. It is worth noting that in the first two types of connections you need to install only one interface, and in the third - two. The setting of the fourth option is slightly different from the others. It provides the ability to add any number of network interfaces, for each of which you need to set the maximum possible load.
The fourth step is to select the network services that will be available to users. In principle, you can select the option " No limits". However, in most cases this will not be entirely reasonable. It is better to tick off those services that are really needed: HTTP and HTTPS for browsing websites, POP3, SMTP and IMAP for working with mail, etc.
The next step is to configure rules for VPN connections. To do this, only two checkboxes are used. The first determines which clients users will use to connect to the server. If they are “native”, that is, released by Kerio, then the checkbox must be activated. Otherwise, for example, when using built-in Windows tools, it must be disabled. The second checkbox determines the possibility of using the Kerio Clientless SSL VPN function (managing files, folders, downloading and uploading via a web browser).
The sixth step is to create rules for services that run on the local network, but must also be accessible from the Internet. If you enabled Kerio VPN Server or Kerio Clientless SSL VPN technology in the previous step, then everything necessary for them will be configured automatically. If you need to ensure the availability of other services (corporate mail server, FTP server, etc.), then for each of them click on the button " Add", select the name of the service (standard ports for the selected service will open) and, if necessary, specify the IP address.
Finally, the final screen of the setup wizard is a warning before the rule generation process begins. Just read it and click on the " Complete". Naturally, in the future, all created rules and settings can be changed. Moreover, you can either re-run the described wizard or edit the parameters manually.
In principle, after completion of the work the wizard is already in working order. However, it makes sense to slightly adjust some parameters. In particular, you can set limits on bandwidth usage. It gets clogged the most when transferring large, voluminous files. Therefore, you can limit the download and/or upload speed of such objects. To do this, in the section " Configuration"need to open section" Bandwidth limit", enable filtering and enter the bandwidth available for large files. If necessary, you can make the limitation more flexible. To do this, click on the " Additionally" and specify in the window that opens services, addresses, and time intervals for filters. In addition, you can immediately set the size of files that are considered large.
Users and groups
After the initial setup of the system, you can begin adding users to it. However, it is more convenient to first divide them into groups. This will make them easier to manage in the future. To create a new group, go to the " Users and groups->Groups" and click on the " button Add". This will open a special wizard consisting of three steps. In the first step, you need to enter the name and description of the group. In the second, you can immediately add users to it, if, of course, they have already been created. In the third step, you need to define the rights of the group: access to system administration, the ability to disable various rules, permission to use VPN, viewing statistics, etc.
After creating groups, you can proceed to adding users. The easiest way to do this is if a domain is deployed on the corporate network. In this case, just go to the section " Users and groups->Users", open the Active Directory tab, enable the checkbox " Use domain user database" and enter the login and password of an account that has the right to access this database. In this case, domain accounts will be used, which, of course, is very convenient.
Otherwise, you will need to enter users manually. For this purpose, the first tab of the section in question is provided. Creating an account consists of three steps. On the first one, you need to specify a login, name, description, email address, as well as authentication parameters: login and password or data from Active Directory. In the second step, you can add the user to one or more groups. At the third stage, it is possible to automatically register an account to access the firewall and certain IP addresses.
Setting up a security system
It implements ample opportunities to ensure the security of the corporate network. In principle, we have already started protecting ourselves from external threats when we set up the firewall. In addition, the product in question implements an intrusion prevention system. It is enabled by default and configured to perform optimally. So you don't have to touch it.
The next step is antivirus. It is worth noting that it is not available in all versions of the program. To use anti-malware protection, it must be purchased with a built-in antivirus, or an external antivirus module must be installed on the Internet gateway. To enable anti-virus protection, you must open the section " Configuration->Content Filtering->Antivirus". In it, you need to activate the module being used and use checkboxes to mark the protocols being checked (it is recommended to enable all). If you are using a built-in antivirus, then you need to enable updating the anti-virus databases and set the interval for performing this procedure.
Next, you need to configure the HTTP traffic filtering system. This can be done in the section " Configuration->Content Filtering->HTTP Policy". The simplest filtering option is to unconditionally block sites that contain words from the "black" list. To enable it, go to the " tab Forbidden words" and fill out the list of expressions. However, there is a more flexible and reliable filtering system. It is based on rules that describe the conditions for blocking user access to certain sites.
To create a new rule, go to the " tab URL Rules", right-click on the field and select " from the context menu Add". The window for adding a rule consists of three tabs. The first one specifies the conditions under which it will be triggered. First, you need to select who the rule applies to: all users or only specific accounts. After this, you need to set the criterion for matching the URL of the requested site. To do this, you can use a string that is included in the address, group of addresses or rating of the web project in the Kerio Web Filter system (essentially, the category to which the site belongs). Finally, it is worth indicating the system’s reaction to the fulfillment of conditions - allow or deny access to website.
On the second tab, you can specify the interval during which the rule will apply (by default, always), as well as the group of IP addresses to which it applies (by default, all). To do this, you simply need to select the appropriate items in the drop-down lists of preset values. If time intervals and groups of IP addresses have not yet been set, then using the "Edit" buttons you can open the desired editor and add them. Also on this tab you can set the program’s action if the site is blocked. This can be by issuing a page with a given refusal text, displaying a blank page, or redirecting the user to a given address (for example, to a corporate website).
If the corporate network uses wireless technologies, it makes sense to enable a MAC address filter. This will significantly reduce the risk of unauthorized connection of various devices. To implement this task, open the section " Configuration->Traffic Policy->Security Settings". In it, activate the checkbox " MAC Address Filter Enabled", then select the network interface to which it will be distributed, switch the list of MAC addresses to " Allow only listed computers to access the network" and fill it out with the details of wireless devices owned by the company.
Let's take stock
So, as we see, despite the wide functionality, it is quite simple to organize group work of corporate network users on the Internet with its help. It is clear that we have only covered the basic setup of this product.
Maxim Afanasiev
Since 1997, Kerio Technologies has been developing and releasing unique software solutions in the field of computer security to protect internal company networks from external attacks and creates systems for collaboration and electronic communications. Products from Kerio Technologies are aimed at medium and small businesses, but can also be successfully used in large companies. It is worth noting that the software is developed taking into account global trends in the field of information security, and the company itself is an innovator in this area.
The prototype of the Kerio Control software package, which will be discussed in this article, was the Winroute Pro software gateway, the first version of which was released in 1997. Winroute Pro software was an advanced proxy server designed to provide local computers with access to the Internet through a single external Internet channel. This product almost immediately gained popularity and quickly became a competitor to one of the most widespread proxy servers at that time, WinGate. Even then, Kerio products were distinguished by a clear interface and convenient configuration, and also, importantly, reliability and security. Since then, Kerio Winroute has been constantly modernized, many useful features and capabilities have been added to it. At the beginning of its journey it was called Winroute Pro, then the name was changed to Winroute Firewall, and starting from version 7 the product received its current name - Kerio Control.
Kerio quickly realized the possibilities of virtualization and embarked on the path of maximum integration with virtual environments, which today are actively developing thanks to the advent of multi-core processors and significant progress in the field of IT. All new Kerio products are now available for VMware and Hyper-V virtualization environments, allowing you to deploy the software on any platform and migrate the product without having to reinstall it on a new hardware platform. In addition, this approach offers company network administrators greater choice when building their network infrastructure. Initially, Kerio products were delivered as a Windows application, but after the release of a version for virtualization systems, the company decided to completely abstract from the operating system and no longer release Kerio Control as a separate application. Starting with version 8, Kerio Control comes in only three flavors: Software Appliance, VMware Virtual Appliance and Hyper-V Virtual Appliance. All options use a modernized Linux operating system based on Debian (an SMP version with reduced functionality is used), which does not require additional lengthy setup and maintenance. The Firewall Software Appliance is available as an ISO image just over 250 MB in size and can be easily installed on dedicated hardware without requiring an operating system installation. VMware Virtual Appliance comes in OVF and VMX packages for VMware environments, and Hyper-V Virtual Appliance is designed for Microsoft virtualization systems, all pre-deployed with configurable options. According to the developer, the OVF version of this software, in principle, can be installed on other virtualization systems. This approach allows a more flexible approach to the implementation of a company’s network and abandons the use of hardware solutions, which often cannot be upgraded in hardware, since this requires significant costs, or their capabilities are strictly limited.
Let's look at the main features of the Kerio Control software, as well as a number of innovations that were missing in previous versions. Let us remind you that the 8th version of Kerio Control was first released in March of this year. At the time of writing, in addition to a small update, Kerio released the Kerio Control 8.1 update in June, which also brought some additional functionality.
Installation of Kerio Control can be done either using Software Appliance, that is, deploying the system from a separate ISO image, or by initializing a virtual machine on a virtualization server. The latter method involves several installation paths, including the ability to automatically download the latest version of Kerio Control from the manufacturer’s website via the Vmware VA Marketplace. When installing from an ISO image, all steps to deploy Kerio Control involve the administrator answering a few simple questions from the installation wizard. Initializing the Kerio Control virtual machine allows you to skip the main installation stage, and the administrator only needs to set the initial parameters of the virtual machine: the number of processors, the amount of RAM, the number of network adapters and the size of the disk subsystem. In the basic version, the Kerio Control virtual machine has the most minimal parameters, however, to perform further administration, at least one network adapter is required, specified in the machine properties.
After installing the system in one way or another and successfully initializing Kerio Control, the user will have access to basic network configuration settings through the management console (Fig. 1). By default, network adapters connected to Kerio Control attempt to obtain IP addresses using DHCP. If obtaining IP addresses was successful, the administrator can connect to Kerio Control via the local network by entering the IP address displayed in the management console. The basic management console allows you to configure network adapter settings, reset Kerio Control to basic settings, reboot or disable Kerio Control. It is worth noting that, if necessary, you can exit to the full bash command shell of the operating system by pressing the Alt + F2-F3 key combination. To log in, you will need to enter the root login and administrator password specified when installing Kerio Control. Additional debugging information can be called up by pressing Alt + F4-F5. Further configuration of parameters occurs through the web administration console over an SSL encrypted channel.
Rice. 1. Management console
All parameters can be set via the control panel, which operates through a secure web interface (Fig. 2). Work with such an interface is carried out through the secure HTTPS/SSL protocol. The administration console allows you to manage all firewall settings. Compared to previous versions based on version 7 of Kerio Control, the design of this control panel has undergone significant changes. Thus, the first page of the control panel has a tiled, customizable interface (“Dashboard”), to which you can add or remove the necessary elements for quickly diagnosing the status of Kerio Control. This is very convenient, since the administrator immediately sees the load on communication channels, user activity, system status, VPN connections, etc.
Rice. 2. Control panel
The following options have been added to the updated version of Kerio Control 8.1: saving configuration and settings in the cloud service Samepage.io in automatic mode, monitoring parameters via the SNMP protocol, the ability to use debugging tools Ping, Traceroute, DNS Lookup, Whois on behalf of the Kerio Control gateway in the administration web interface . In addition, Kerio Control now supports regular expressions for URLs, automatic raising of VPN tunnels, password brute force protection and more advanced packet analysis capabilities. It should also be noted that the latest version of Kerio Control Software Appliance has added support for more RAID controllers, which will expand the ability to deploy this system on individual hardware platforms.
The Kerio Control web management interface has not only an administrative panel, but also a separate user interface (Fig. 3). The administration panel does not have the ability to change anything in Kerio Control, but allows you to track user or user statistics over various periods of time. Statistics provide data on resources visited, the amount of data transferred and other information. If a user has an administrative account in the Kerio Control system, he can receive statistical data about other users of the system through this control panel. Accurate and well-thought-out statistics help the administrator to find out user preferences when working on the Internet, find critical elements and problems. The panel generates a detailed histogram of traffic usage for each user on the network. The administrator can select the period for which he wants to track traffic usage: two hours, a day, a week and a month. In addition, Kerio Control shows statistics on actual traffic usage by type: HTTP, FTP, email, streaming multimedia protocols, data exchange directly between computers or proxies.
Rice. 3. User panel
For a modern company, whose branches can be located all over the world, a secure connection to the corporate network is a necessary condition, since outsourcing is actively developing today. With Kerio Control, setting up a VPN is virtually effortless. The VPN server and clients are part of Kerio Control's secure remote access to the corporate network. Using a Kerio VPN virtual network allows users to remotely connect to any resources on the corporate network and work with the organization's network as if it were their own local network. The VPN server built into the Kerio Control product allows you to organize VPN networks in two different scenarios: “server - server” and “client - server” (used by Kerio VPN Client for Windows, Mac and Linux). The “server to server” mode is used by companies that want to connect a remote office via a secure channel to share shared resources. This scenario requires Kerio Control on each of the connecting parties to establish a secure channel over the open Internet. The client-server mode allows a remote user to securely connect a laptop or home computer to the corporate network. As many system administrators know, VPN and NAT (Network Address Translation) protocols do not always work together. Kerio VPN is designed to work reliably across NAT and even a range of NAT gateways. Kerio VPN uses standard SSL channel control (TCP) and Blowfish (UDP) encryption algorithms, and also supports IPSec.
Kerio Control Gateway has built-in virus protection, which is provided by scanning both incoming and outgoing traffic. If earlier Kerio Control used a built-in antivirus from McAfee, then the latest versions use antivirus from Sophos. The administrator can set inspection rules for traffic over various protocols: SMTP and POP3, WEB (HTTP) and file transfer (FTP). The firewall's built-in antivirus installed on the gateway provides complete protection for traffic passing through the gateway. Since the integrated antivirus can receive updates with new virus databases in real time, this significantly increases the level of network security, along with the use of antivirus programs on each computer on the local network. The antivirus scans incoming and outgoing messages, as well as all attachments. If a virus is detected in an attachment, the entire attachment is deleted and a notification is added to the email. In addition, Kerio Control scans all network traffic, including HTML pages, for embedded viruses. Files downloaded via HTTP and files transferred via FTP are also scanned for viruses. In addition, it should be noted that for organizations and institutions such as schools that do not want their employees and clients to visit certain pages, Kerio Control with the built-in Kerio Control Web Filter (available as an option at an additional cost) provides additional options for blocking pages on the Internet.
Kerio Control allows administrators not only to create an overall traffic strategy, but also to set and enforce restrictions for each user. Each user must log in to Kerio Control before accessing the Internet. User accounts are stored in a separate internal user database or taken from the corporate Microsoft Active Directory or Apple Open Directory. Parallel use of both local and domain user databases is possible. When using integration with Microsoft Active Directory, client authorization can occur transparently to domain users through NTLM authentication. As part of Windows 2008/2012 Server, Active Directory allows administrators to centrally manage user accounts and network resource data. Active Directory provides access to user information from a single computer. Active Directory/Open Directory support gives Kerio Control access to the user database in real time and allows you to set up a user on the local network without saving a password. This way, there is no need to sync passwords for each user. All changes in Microsoft Active Directory/Open Directory are automatically reflected in Kerio Control.
The administrator can set different access rights restrictions for each user. These rules can be set to operate for specific periods of time and set various restrictions on traffic usage. When the limit is reached, Kerio Control sends an email warning to the user and administrator, or the administrator blocks that user for the rest of the day or month.
In conclusion, it is worth noting that Kerio Control is a very popular product among system administrators due to its undeniable advantages that it has compared, for example, with similar solutions included in the standard package of Linux-based operating systems (for example, iptables). Quick setup, extensive capabilities and a high degree of protection - all this makes this software product attractive for small companies.