Kerio Control - installation and some basic settings.
It works for the address, but not for the server name, etc.). In general, people are lazy, they do not read the docks, so I decided to make a short instruction on how to configure DNS on a computer with Kerio Winroute Firewall and client computers.
We consider the three most common common cases:
1. Peer-to-peer network, without a domain (as defined by Comrade Naliman;), or rather without a DNS server, a separate machine with Winroute installed is used as a gateway to the Internet;
2. A network with a domain, the DNS server is located on a DC (domain controller), a separate machine with Winroute installed is used as a gateway to the Internet;
3. A network with a domain, the DNS server is on a DC, Winroute is also installed on this DC.
The third option is strongly discouraged for security and common sense reasons, but unfortunately it is used quite often in small networks where the domain already exists, but the money is gone :)
In any case, there is a computer with two network cards (one internal - looks to the local network, the other external - to the Internet, respectively), through which we will go to the Internet, and on which naturally :) Kerio Winroute Firewall will be installed.
Do not forget that the addresses on these network cards must be from different subnets, i.e. like this:
| Quote: |
192.168. 0 .1 192.168. 1 .1 |
for some reason, beginners very often come across this, if they have, for example, an ADSL modem.
1. Setting up DNS in a peer-to-peer network.
Internal network settings
But! We do not hammer them blindly into the external network, but we do it a little in our own way:
Click Advanced. In the DNS tab, uncheck the Register this connectionТs addresses in DNS, in the WINS tab, uncheck Enable LMHOSTS lookup and set Disable NetBIOS over TCP / IP. Also, there MUST NOT be a checkmark on Client for Microsoft Networks, Network Load Balancing, Fail and Printer Sharing Microsoft Networks.
By the way, it is convenient to rename the external interface, to name it not Local Area Connection, but for example Internet Interface.
Next, go to the Control Panel, Network Connections, in this window (explorer window) the Advanced menu -> Advanced options. In the "Adapters and Bindings" tab, move "Local Area Connection" to the topmost position.
On the client computer, the network card settings will be something like this:
In Winroute, Configuration -> DNS Forwarder, check the "Enable DNS Forwarding" checkbox, specify the provider's DNS servers.
2. A network with a domain, the DNS server is located on a DC (domain controller), a separate machine with Winroute installed is used as a gateway to the Internet;
The settings are not very different from the previous version, in principle everything is the same, only:
2.1 In forward DNS lookup zones, the "." Zone should be removed, if any. Then restart the "DNS Server" service.
2.2 On the domain controller, in the DNS properties, you need to allow forwarding to the IP address of the provider's DNS server (and do not forget to add a rule in the Traffic Policy that allows the controller to contact the provider's DNS server). Forwarding in winroute should then be turned off.
2.3 Internal network settings
We DO NOT specify the gateway!
External network settings:
2.4 Client settings:
3. A network with a domain, the DNS server is on a DC, Winroute is also installed on this DC.
All settings are identical to the first case, except for some very important points:
3.1 In a network that is connected to the Internet through a gateway that is a domain controller running the DNS server service, on this controller, in the configuration of the internal and external interface, the DNS server must be configured for itself.
For forward DNS lookup zones, the "." Zone should be removed, if present. Then restart the "DNS Server" service.
In the properties of the DNS server on the Forwarding tab, allow forwarding to the provider's DNS server. Restart the "DNS Server" service
3.2 It is necessary to create a reverse lookup zone (the correct admins probably created it even when DNS was raised :)), since without it the DNS server cannot determine its name. We indicate the first 3 groups of digits of our IP address as the network code.
To check, go to the zone properties and make sure there is our DNS server (or servers, if there are several) on the "Name Servers" tab. If there are not enough servers, we add them there. It is advisable to do this using the "Review". Everything. It remains to enable dynamic updates so that client machines register in this zone, although you can do without this.
3.3 On the domain controller, in the DNS properties, you need to allow forwarding to the IP address of the provider's DNS server, in this case 80.237.0.97;
3.4 DNS Forwarder in Winroute is disabled (uncheck "Enable DNS Forwarding");
3.5 Settings of the external interface on the server:
To check on the client, run the commands:
| Code: |
| nslookup (GateWayName) nslookup (GateWayIP) nslookup yandex.ru nslookup 213.180.204.11 |
If, as a result of the execution of all the above commands, there are no error messages, then everything worked out for you.
P.S. If something does not work for you, please do not ask your question in this thread, but create a separate one (remembering to describe the problem in detail, there are no telepaths here. Also indicate the result of the ipconfig / all command from the computer with winroute and the client computer).
DESCRIPTION
The main task of a corporate firewall is to control incoming and outgoing network traffic for compliance with corporate security policy.
Kerio WinRoute Firewall provides the ability to define granular access rules to scan all Internet traffic and bring it in line with corporate security policies. The Network Rules Wizard helps you quickly set up and configure your firewall.
Kerio WinRoute Firewall is a robust network firewall operating at the TDI / NDIS layers of the operating system. Inbound and outbound traffic analysis technology helps ensure the highest level of security for the entire local network, as well as for individual computers operating on the network.
functionality
Traffic policy
Security Kerio WinRoute Firewall is based on rules applied to traffic and allows you to configure packet filters, NAT (network address translation), port mapping and access control in a single convenient table.
The built-in configuration wizard greatly simplifies the process of creating and configuring the required network rules. Setting up a firewall and connecting to the Internet takes literally minutes.
Intrusion prevention system
A prerequisite for ICSA Labs network firewall certification is the ability to recognize hacker attacks and intrusions. Attempts of all such actions are recorded in the security log.
Anti-spoofing
Anti-spoofing is a component of the Kerio WinRoute Firewall packet filter that provides an additional layer of protection for the local network against attacks in which a hacker uses the source IP address.
Firewall logs
An important function of any system security product is the ability to record events in detail.
Kerio WinRoute Firewall records events in several different logs - error messages, debug events, user settings, status, web surfing, port scans, etc.
Logging can be activated for any of the rules defined in the traffic rules table. This gives the administrator full control over the connections through the firewall.
Protocol control
This feature allows individual applications with their own protocols (initially not requiring a firewall) to work safely on local networks. Many protocols can be scanned, filtered, or modified to improve the overall reliability of the firewall.
Kerio Winroute Firewall - VPN Server and Client
For all modern business people, whether traveling or working from home, a secure connection to the corporate network is a prerequisite. With Kerio WinRoute Firewall, setting up a VPN is virtually effortless. VPN server and clients are part of Kerio WinRoute Firewa's secure remote access capabilities.
Using Kerio VPN allows users to remotely connect to resources on the corporate network, such as file servers, database servers, or even printers, which are usually hidden behind a firewall and cannot be used outside the office network.
Kerio VPN Server
The VPN server built into the Kerio WinRoute Firewall product allows you to organize VPN networks in two different scenarios:
VPN client-server (used by Kerio VPN Client for Windows)
VPN server server
Server-to-server mode is used by companies that want to connect via a secure channel to a remote office to share common resources. This scenario requires Kerio WinRoute Firewall on each of the connecting sides to establish a secure channel over the open Internet.
VPN client-server
Client-server mode allows a remote user to securely connect a laptop or configured PC to the corporate network.
Kerio VPN Client
Kerio VPN Client is a small application that runs on the side of the connected PC. Works on Windows 2000 and above.
Clientless SSL VPN
Kerio WinRoute Firewall 6.1 includes a new service called Clientless SSL VPN that allows remote clients to access shared files on servers on a local network using a regular browser. There is no need to install any special client software.
NAT translation
As administrators know, VPN and NAT (Network Address Translation) do not always work together. Kerio VPN is designed to work reliably through NAT and even through a range of NAT gateways.
Kerio VPN uses standard encryption algorithms - SSL for channel control (TCP) and Blowfish for data transfer (UDP).
IPSec, Windows, and third party VPNs
In cases where a company has a certain standard for the use of VPN products, Kerio WinRoute Firewall includes support for IPSec and PPTP protocols, allowing the use of various third-party solutions.
It is also permissible to use the VPN capabilities built into Windows, which allows you to build a VPN network using only Microsoft Windows and Kerio WinRoute Firewall tools. No third party software required. Kerio WinRoute Firewall also supports RRAS functionality available in server editions of Microsoft Windows operating systems.
Kerio Winroute Firewall - Internet Virus Protection
Kerio WinRoute Firewall creates additional firewall against viruses by scanning both inbound and outbound traffic:
- - Email (SMTP and POP3)
- - web (HTTP)
- - file transfer (FTP)
For this, two licensed versions have been developed:
- 1. Kerio WinRoute Firewall combined with McAfee Anti-Virus
- 2. Kerio WinRoute Firewall with other anti-virus software
The Benefits of Virus Firewalling
Antivirus protection installed on the local network provides complete protection for all traffic. Administrators can use the latest virus “images” on the gateway, which is much more productive than using antivirus software on each computer.
Email Virus Protection
Kerio WinRoute Firewall checks incoming and outgoing messages, as well as all attachments. The virus detected in the message is removed. If a virus is detected in an attachment, the entire attachment is deleted, and a notification is added to the message.
Protecting your network from viruses
Kerio WinRoute Firewall scans all network traffic, including HTML pages, for embedded viruses. Files downloaded via HTTP and files transferred via FTP are also scanned for viruses.
Partnership with McAfee, Inc
Kerio Technologies Inc. with McAfee, Inc. (Network Associates) has created a cross-platform antivirus software product for Windows, Linux and Mac OS X operating systems. The Kerio WinRoute Firewall, combined with McAfee, can receive updates with new virus "images" almost hourly.
Kerio WinRoute Firewall combined with McAfee Anti-Virus
Kerio WinRoute Firewall combined with McAfee Anti-Virus is a software suite that provides complete firewall virus protection for your entire network.
In this case, the anti-virus settings refer only to firewall protection. Installation is simple and consistent, it does not require additional settings. By combining software products, all elements of the server - virus protection and firewall - are consistent with each other.
McAfee AntiVirus is manufactured by McAfee, Inc.
Kerio WinRoute Firewall with other antivirus software
Kerio WinRoute Firewall can work in conjunction with some anti-virus software products from other manufacturers (see Table 2): information corporate proxy server
table 2
|
AVG Server Edition |
||
|
eTrust Antivirus |
Computer Associates |
|
|
Symantec |
||
|
Avast! for Kerio |
||
|
VisNetic AntiVirus |
ISS Orange Web Filter
An additional component of the Kerio WinRoute Firewall software for protection while working on the Internet.
For organizations and institutions such as schools that do not want their employees and customers to visit certain Internet pages, Kerio WinRoute Firewall with built-in ISS Orange Web Filter offers additional options.
ISS Orange Web Filter offers a list of 58 categories of pages, such as e-shops, news, pornography, sports or travel, that can be blocked by Kerio WinRoute Firewall.
Price
ISS Orange Web Filter is sold as an add-on to the Kerio WinRoute Firewall.
How this filter works
Kerio WinRoute Firewall software is easy to use and different user groups may have limited access to different sites.
Every time a user tries to visit a site, Kerio WinRoute Firewall checks the ISS Orange Web Filter database to see if this page is listed in one of the categories. If it is entered, then Kerio WinRoute Firewall automatically blocks access to it. You can also warn the user that the administrator will know about his actions.
Full coverage
ISS Orange Web Filter's database is one of the largest, with over 4 billion checked pages and 20 million numbered and grouped URLs.
If a user requests a page that is not in the main database, its URL is sent to the ISS, where it is viewed within 24 hours.
ISS Orange Web Filter processes pages in 15 languages.
High speed
Kerio WinRoute Firewall with ISS Orange Web Filter caches URLs in local database. The main database contains only URLs that users do not have access to.
The main database is stored on seven ISS servers located around the world to provide fast responses.
Detailed statistics
Kerio WinRoute Firewall provides detailed network traffic statistics for each user or for the entire organization. The administrator can use these statistics to find out the user's preferences and determine the strategy for using network resources.
Kerio Winroute Firewall - User Access Control
The main goal of network security is to develop an Internet access strategy. Kerio WinRoute Firewall allows administrators not only to create a general strategy for using traffic, but also to set and apply restrictions for each user.
user management
In Kerio WinRoute Firewall, the term "user" can mean the following:
- - Name and password of each user
- - User group
- - IP address or computer name
- - The whole network
Before accessing the Internet, each user must register with the Kerio WinRoute Firewall.
User management with an internal user database
User accounts are stored either in a separate internal user database of the Kerio WinRoute Firewall, or, if the network is large, on a remote Microsoft Active Directory server. You can work with these two databases at the same time.
User Management with Active Directory
As part of Windows 2000 Server, Active Directory allows administrators to centrally manage user accounts and network resource information. Active Directory provides access to user information from a single computer.
Active Directory support provides Kerio WinRoute Firewall with real-time access to the user database and allows you to install a user on the local network without saving a password. Thus, there is no need to synchronize passwords for each user. All changes in Microsoft Active Directory are automatically reflected in Kerio WinRoute Firewall.
Access control
The administrator can set different restrictions on access rights for each user. For example, some users can only go to internal pages, others can only work with e-mail. These rights are only configured according to a specific schedule, so they can only be set at specific intervals.
Traffic restrictions
Some users download a lot of files, listen to radio over the Internet, and send home videos to each other. Often, if one user takes up too much traffic, this affects the quality of the connection of other users.
In order to pacify such users, the administrator can set restrictions on the use of traffic. It can be:
- - Restrictions on uploads, downloads, or both.
- - Limit on traffic per day or per month
- - Any combination of the first and second points
When the limit is reached, Kerio WinRoute Firewall will send an email alert to the user and administrator. Alternatively, the administrator can block this user until the end of the day or month.
Kerio Winroute Firewall - Administration
Statistics and Reporting (StaR)
You can use the StaR module to display employee internet usage. Statistics are displayed as graphs showing non-workflow traffic consumption, resource constraints, and other issues. The reports contain information about how much traffic was used, the main sites visited and, in combination with the optional (IBM) ISS Orange Web Filter module, the percentage of the most visited resources by category. StaR can be used remotely through a browser without the need for authorization in the Administration Console.
Remote administration
The system administrator configures the program, manages user accounts and security policy through the Kerio Administration Console. It can be installed on a computer with a firewall already installed, or on a remote computer connected to the Internet. Data exchange between the remote console and the firewall system is carried out over an encrypted channel.
Email notifications
Sometimes the administrator cannot keep track of everything that happens to the firewall system. Kerio WinRoute Firewall helps track critical events such as network disconnection, user traffic overload, virus detection, or license expiration.
Each such event is communicated to the administrator by e-mail, and he himself can choose which events he should be notified about.
Traffic usage statistics and graph
Accurate and thoughtful statistics help the administrator to find out the preferences of users when using the Internet, find critical elements and problems.
Kerio WinRoute Firewall generates a detailed histogram of traffic usage for each user on the network. The administrator can select the period for which he wants to track traffic usage: 2 hours, 1 day, 1 week and 1 month.
In addition, Kerio WinRoute Firewall shows statistics on the actual use of traffic, by its types: HTTP, FTP, e-mail, streaming multimedia protocols, data exchange directly between computers or proxies.
If you run the ISS Orange Web Filter, Kerio WinRoute Firewall shows statistics of visits to Internet pages for each user and for the entire organization.
Characteristics of the program
Internet Connection Methods Used
Support for DSL, dial-up, ISDN, satellite Internet, dial-up and wireless Internet allows you to install Kerio WinRoute Firewall in networks of any size anywhere. Several users can use one connection at once.
Lost connection
If Kerio WinRoute Firewall detects a broken connection, it automatically switches to the spare one. Any network or modem adapter can be used for the spare connection.
NAT and proxy
Fast Internet access thanks to two different technologies: network address translation (NAT) and proxy server.
A NAT router provides Internet access to all computers on the local network and works with almost any protocol. When using NAT, no additional settings are required on each computer.
The Proxy Server is used as a client computer on a remote server. Due to the complexity of this technology, only a few protocols are supported. True, it has features such as authentication and user access control.
DNS forwarding mechanism
The built-in DNS forwarding mechanism creates a DNS query whenever a user visits a website. It sends this request to the selected DNS server and stores the last received results for some time. The response to successive requests comes immediately.
DHCP server
A DHCP server assigns IP configuration parameters to each computer on the LAN, making network administration much easier.
HTTP proxy cache server
H.323 and SIP
Kerio protocol validators help firewalls work properly with VoIP telephony or video transmission. Kerio WinRoute Firewall works with VoIP devices using H.323 or SIP protocols connected to a secure network. That is, there is no need to connect VoIP equipment to the Internet.
Cisco SCCP
If a company wants to use VoIP equipment in a Cisco AVVID environment, the Cisco Skinny Client Control Protocol (SCCP) is used to establish a connection between the IP phone and the Cisco CallManager. Of course, firewalls must recognize it and understand the information being transmitted.
Kerio WinRoute Firewall automatically recognizes the SCCP protocol and performs network address translation between the IP phone and the Cisco CallManager. Since Kerio WinRoute Firewall performs IP address translation dynamically, the administrator does not need to manually configure the IP address for each IP phone.
UPnP support
The Universal Plug and Play (UPnP) standard used in Windows allows different applications to work with each other without additional firewall settings. Kerio WinRoute Firewall works with UPnP technology so that applications such as MSN Messenger can run smoothly.
Minimum system requirements
Kerio WinRoute Firewall
- 256 MB RAM
- 20 MB HDD for installation
Additional free space for logs and cache
At least 2 network interfaces (including dialup)
Windows 2000 / XP / 2003 / Vista
Kerio VPN Client
- 128 MB RAM
- 5 MB HDD
Windows 2000 / XP / 2003 / Vista
Implementation cost
Since in our organization the number of computers is about 150, then a license including 250 users falls under our choice. The cost is calculated as follows: (basic for 5 users) + (additional for 250 users). Euro to ruble rate = 41.4
Kerio Control (ex. Kerio WinRoute Firewall): 241.9 * 41.4 + 5605 * 41.4 = 10014.66+ 232047 = 242 061.66 r
Web filtering is also necessary, especially since in Trafic inspector this feature is included in the software price and is not highlighted as a separate option.
Kerio Web Filter = 28 * 41.4 + 250 * 443 = 1159.2+ 10350 = 11509.2r
Total we get: 11509.2 + = 242 061.66 = 253 570.86 rubles for 255 licenses!
Customization Kerio VPN Server to connect individual VPN clients.
The VPN server is used to connect the remote ends of VPN tunnels and remote clients using Kerio VPN Client .VPN server available on the Interfaces tab (Interfaces) in the Settings / Interfaces section (Configuration / Interfaces) as a separate interface.
We go to this tab and among the interfaces we see the VPN Server we want. Double-clicking on the VPN server interface opens a dialog that allows you to set the VPN server parameters (you can also select the interface and click Edit or select Edit from the context menu).
In the window that opens, you need to activate the VPN server (Enable VPN server). And specify the IP address of the mesh for VPN clients. In my network, all local users have addresses like 192.168.100.xxx, and all VPN clients are 192.168.101.xxx
By default (on first launch after installation) WinRoute automatically selects a free subnet to be used for VPN. Under normal circumstances, there is no need to change the default network. Have make sure the subnet of the VPN clients does not conflict with the local subnet!
On the DNS tab, you need to specify the DNS servers that will be assigned to your VPN clients. This may be necessary in a domain grid, where access to computers by NS names is required.
Use specific DNS servers This option allows you to specify the primary and secondary DNS servers for VPN clients. If the local network does not use DNS Forwarder and a different DNS server, then use this option.
My users do not use NS names, so here I left everything without exceptions.
I don't need the Advanced tab either, but we'll write about it anyway.
Listen on port - The port on which the VPN server accepts incoming connections (TCP and UDP protocols are used). The default port is 4090 (normally there is no need to change the port).
Notes:
- If the VPN server is already running, when the port is changed, the connection with all VPN clients will be automatically disconnected.
- If the VPN server cannot run on the specified port (the port is in use by another service), clicking the Apply button in the Error log (see chapter Error log) will display the following error message: (4103: 10048) Socket error: Unable to bind socket for service to port 4090.
(5002) Failed to start service "VPN"
bound to address 192.168.1.1.To verify that the specified port is indeed free, check the Error Log for any such entries.
Custom Routes
In this section, you can define other networks to which routes will be established through the VPN tunnel. By default, routes to all local subnets are defined from the VPN server side - see the Exchange Routing Information chapter).
Advice: use netmask 255.255.255.255 to define a route to a specific host. This can help, for example, when adding a route to a node in the DMZ from the VPN server side.
The first rule lets users from the Internet to the VPN server using the Kerio VPN protocol (port 4090).
This is where the connected users will be displayed. In the settings of the users themselves, you can configure whether the VPN server will issue addresses to clients, or you can assign a specific IP address in the network to each VPN client.
That's all. If anything is not clear, please go here.
How to configure the distribution of the Internet to users through NAT in the Kerio Winroute Firewall. Configuring NAT in Kerio Winroute Firewall.
Given - Server Windows 2003 Server EE, with Kerio Winroute Firewall 6.4.2 installed and configured.
Objective - To release the system administrator to the Internet not through a proxy, like everyone else, but through NAT. To run counter and webmoney. Go...
First, let's create a new rule in the section Traffic Policy... It will be called at the beginning New rule.
Next, you need to add a source. That is, the computer of the one who will have access to the Internet. In our case, this is the system administrator's computer. I wrote the DNS name of the computer in the domain - sysadmin.local... You can also write an IP address. Depends on the situation.
After adding Source it is necessary to add and Destination... In our case, this is a network connection named Internet. We press Add -> Network Inteface and select our Internet connection from the list.
After adding these parameters to our rule. We, as it were, hint to the computer that the machine sysadmin.local has access to a network connection Internet... Next, we need to specify the type of connection, ports and services through which he will have this access.
In field Service we will not add anything. There is already meaning Any... Obo says that access is open to all ports and services.
In the tab Translation the default is empty. We are not interested in this, so click on the empty field on the tab Translation and we see a window (Edit Translation) NAT settings in front of you.
We only need to let the user go online on all ports. Therefore, we choose the parameter "Translate to IP address of outgoing interface (typical settings)"... With this rule, we tell Kerio that all outgoing traffic from the user must be broadcast directly to the Internet. You can select any interface where the packets will be translated, and the IP address. But we don't need it now.
Click OK and see our rule. Everything seems to be ok, but it doesn't work :) And why?
Forgot to allow the rule and click the button Apply... To enable the rule, click on the empty field under the tab Action and select the parameter there Permit.
Now our rule looks like this:
And it works. The user has NATed outbound Internet access. Can play counter, warcraft and run Webmoney.