Resumen del contenido incluido en la página 1
Kerio WinRoute Firewall 6
Administrator’s Guide
Kerio Technologies s.r.o.�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
Resumen del contenido incluido en la página 2
Ó Kerio Technologies s.r.o. All rights reserved. This guide provides detailed description on configuration and administration of Kerio WinRoute Firewall, version 6.7.1. All additional modifications and updates reserved. User interfaces Kerio StaR and Kerio Clientless SSL-VPN are focused in a standalone document, Kerio WinRoute Firewall — User’s Guide. The Kerio VPN Client application is described in a stand-alone document Kerio VPN Client — User’s Guide. For current version of the product, go to h
Resumen del contenido incluido en la página 3
Contents 1 Quick Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1 What’s new in 6.7.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2 Conflicting software . . . . . . . . . . . . . . . .
Resumen del contenido incluido en la página 4
7.5 Policy routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 7.6 User accounts and groups in traffic rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 7.7 Partial Retirement of Protocol Inspector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 7.8 Use of Full cone NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 7.
Resumen del contenido incluido en la página 5
15 User Accounts and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 15.1 Viewing and definitions of user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 15.2 Local user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 15.3 Local user database: external authentication and import of accounts . . . . . 203 15.4 User accounts in Active Direct
Resumen del contenido incluido en la página 6
22.9 Filter Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 22.10 Http log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 22.11 Security Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 22.12 Sslvpn Log . . . . . . . . . . . . . . . . . . . . . . . . . . .
Resumen del contenido incluido en la página 7
Chapter 1 Quick Checklist In this chapter you can find a brief guide for a quick setup of Kerio WinRoute Firewall (referred to as “WinRoute” within this document). After this setup the firewall should be immediately available and able to share your Internet connection and protect your local network. For a detailed guide refer to the separate WinRoute — Step-by-Step Configuration guide. If you are not sure how to set any of the Kerio WinRoute Firewall functions or features, look up the appropriate c
Resumen del contenido incluido en la página 8
Chapter 1 Quick Checklist 9. Select an antivirus and define types of objects that will be scanned. If you choose the integrated McAfee antivirus application, check automatic update settings and edit them if necessary. External antivirus must be installed before it is set in WinRoute, otherwise it is not available in the combo box. 10. Using one of the following methods set TCP/IP parameters for the network adapter of individual LAN clients: • Automatic configuration — activate the Obtain an IP add
Resumen del contenido incluido en la página 9
Chapter 2 Introduction 2.1 What’s new in 6.7.1 In version 6.7.1, WinRoute brings the following new features: Kerio WinRoute Firewall Software Appliance / VMware Virtual Appliance Kerio WinRoute Firewall is now available as a so called software appliance (Software Ap- pliance / VMware Virtual Appliance). This appliance is distributed as a full installation package with the firewall and operating system and can be installed on a physical or virtual computer without an operating system. Software App
Resumen del contenido incluido en la página 10
Chapter 2 Introduction Support for Windows 7 Kerio WinRoute Firewall now includes full support for the new operating system Microsoft Windows 7. 2.2 Conflicting software WinRoute can be run with most of common applications. However, there are certain applica- tions that should not be run at the same host as WinRoute for this could result in collisions. The computer where WinRoute is installed (the host) can be also used as a workstation. How- ever, it is not recommended — user interaction may affe
Resumen del contenido incluido en la página 11
2.3 System requirements • 53/UDP — DNS module, • 67/UDP — DHCP server, • 1900/UDP — the SSDP Discovery service, • 2869/TCP — the UPnP Host service. The SSDP Discovery and UPnP Host services are included in the UPnP support (refer to chapter 18.2). • 44333/TCP+UDP — traffic between Kerio Administration Console and WinRoute Firewall Engine. This service cannot be stopped. The following services use corresponding ports by default. Ports for these services can be changed. • 443/TCP — server of the SSL
Resumen del contenido incluido en la página 12
Chapter 2 Introduction • 50 MB free disk space for installation of Kerio WinRoute Firewall. • Disk space for statistics (see chapter 21) and logs (in accordance with traffic flow and logging level — see chapter 22). • to keep the installed product (especially its configuration files) as secure as possible, it is recommended to use the NTFS file system. For Kerio WinRoute Firewall Software Appliance: • Minimum 3 GB hard disk. • No operating system is required to be installed on the computer. Any existi
Resumen del contenido incluido en la página 13
2.4 Installation - Windows Note: 1. WinRoute installation packages include the Kerio Administration Console. The separate Kerio Administration Console installation package (file kerio-kwf-admin .exe) is de- * signed for full remote administration from another host. This package is identical both for 32-bit and 64-bit Windows systems. For details on WinRoute administration, see chapter 3. 2. For correct functionality of the Kerio StaR interface (see chapter 21), it is necessary that the WinRoute h
Resumen del contenido incluido en la página 14
Chapter 2 Introduction Figure 2.1 Installation — customization by selecting optional components • Kerio WinRoute Firewall Engine — core of the application. • VPN Support — proprietary VPN solution developed by Kerio Technologies (Kerio VPN). • Administration Console — the Kerio Administration Console application (universal con- sole for all server applications of Kerio Technologies) including WinRoute administra- tion tools. • Help files — this manual in the HTML Help format. For help files detail
Resumen del contenido incluido en la página 15
2.4 Installation - Windows • all checked components will be installed or updated, • all checked components will not be installed or will be removed During an update, all components that are intended to remain must be ticked. 2. The installation program does not allow to install the Administration Console separately. Installation of the Administration Console for the full remote administration requires a separate installation package (file kerio-kwf-admin .exe). * Protection of the installed produ
Resumen del contenido incluido en la página 16
Chapter 2 Introduction 2. Universal Plug and Play Device Host and SSDP Discovery Service The services support UPnP (Universal Plug and Play) in the Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 operating systems. However, these services collide with the UPnP support in WinRoute (refer to chapter 18.2). The WinRoute installation includes a dialog where it is possible to disable colliding system services. Figure 2.2 Disabling colliding system services during installation B
Resumen del contenido incluido en la página 17
2.5 Initial configuration wizard (Windows) warning log. This helps assure that the service will be enabled/started immediately after the WinRoute installation. 2. On Windows XP Service Pack 2, Windows Server 2003, Windows Vista and Windows Server 2008, WinRoute registers in the Security Center automatically. This implies that the Security Center always indicates firewall status correctly and it does not display warn- ings informing that the system is not protected. 2.5 Initial configuration wizard
Resumen del contenido incluido en la página 18
Chapter 2 Introduction Password and its confirmation must be entered in the dialog for account settings. NameAdmin can be changed in the Username edit box. Note: If the installation is running as an upgrade, this step is skipped since the administrator account already exists. Remote Access Immediately after the first WinRoute Firewall Engine startup all network traffic will be blocked (desirable traffic must be permitted by traffic rules — see chapter 7). If WinRoute is installed remotely (i.e. using te
Resumen del contenido incluido en la página 19
2.6 Upgrade and Uninstallation - Windows Enable remote access This option enables full access to the WinRoute computer from a selected IP address Remote IP address IP address of the computer from where you will be connecting (e.g. terminal services client). This field must contain an IP address. A domain name is not allowed. Warning The remote access rule is disabled automatically when WinRoute is configured using the net- work policy wizard (see chapter 7.1). 2.6 Upgrade and Uninstallation - Wind
Resumen del contenido incluido en la página 20
Chapter 2 Introduction Figure 2.5 Uninstallation — asking user whether files created in WinRoute should be deleted Keeping these files may be helpful for copying of the configuration to another host or if it is not sure whether the SSL certificates were issued by a trustworthy certification authority. During uninstallation, the WinRoute installation program automatically refreshes the original status of the Windows Firewall / Internet Connection Sharing, Universal Plug and Play Device Host) and SSDP
