Kerio Control Administrator’s Guide Kerio Technologies © Kerio Technologies s.r.o All rights reserved This guide provides detailed description on configuration and administration of Kerio Control, version 7.0.1 All additional modifications and updates reserved User interfaces Kerio StaR and Kerio Clientless SSL-VPN are focused in a standalone document, Kerio Control — User’s Guide The Kerio VPN Client application is described in a stand-alone document Kerio VPN Client — User’s Guide For current version of the product, go to http://www.kerio.com/firewall/download For other documents addressing the product, see http://www.kerio.com/firewall/manual Information regarding registered trademarks and trademarks are provided in appendix A Products Kerio Control and Kerio VPN Client include open source software To view the list of open source items included, refer to attachment B Contents Quick Checklist Introduction 2.1 What’s new in 7.0 2.2 Conflicting software 2.3 System requirements 2.4 Installation - Windows 2.5 Initial configuration wizard (Windows) 2.6 Upgrade and Uninstallation - Windows 2.7 Installation - Software Appliance and VMware Virtual Appliance 2.8 Upgrade - Software Appliance / VMware Virtual Appliance 2.9 Kerio Control components 2.10 Kerio Control Engine Monitor (Windows) 2.11 The firewall’s console (Software Appliance / VMware Virtual Appliance) 10 10 11 13 13 18 20 22 26 26 27 28 Kerio 3.1 3.2 3.3 Control administration Kerio Control Administration web interface Administration Console - the main window Administration Console - view preferences 30 31 32 35 License and Registration 4.1 License types (optional components) 4.2 Deciding on a number of users (licenses) 4.3 License information 4.4 Registration of the product in the Administration Console 4.5 Product registration at the website 4.6 Subscription / Update Expiration 37 38 38 39 41 48 49 Network interfaces 5.1 Groups of interfaces 5.2 Special interfaces 5.3 Viewing and editing interfaces 5.4 Adding new interface (Software Appliance / VMware Virtual Appliance) 5.5 Advanced dial-up settings 5.6 Supportive scripts for link control (Windows) 51 52 52 53 56 56 58 Internet Connection 6.1 Persistent connection with a single link 6.2 Connection with a single leased link - dial on demand 6.3 Connection Failover 6.4 Network Load Balancing Traffic Policy 77 7.1 Network Rules Wizard 77 7.2 How traffic rules work 84 7.3 Definition of Custom Traffic Rules 84 7.4 Basic Traffic Rule Types 97 7.5 Policy routing 103 7.6 User accounts and groups in traffic rules 105 7.7 Partial Retirement of Protocol Inspector 107 7.8 Use of Full cone NAT 108 7.9 Media hairpinning 110 Firewall and Intrusion Prevention System 8.1 Network intrusion prevention system (IPS) 8.2 MAC address filtering 8.3 Special Security Settings 8.4 P2P Eliminator 112 112 116 118 120 Configuration of network services 9.1 DNS module 9.2 DHCP server 9.3 Dynamic DNS for public IP address of the firewall 9.4 Proxy server 9.5 HTTP cache 124 124 131 142 144 147 10 Bandwidth Limiter 10.1 How the bandwidth limiter works and how to use it 10.2 Bandwidth Limiter configuration 10.3 Detection of connections with large data volume transferred 153 153 153 158 11 User Authentication 160 11.1 Firewall User Authentication 160 12 Web Interface 164 12.1 Web interface and certificate settings information 164 12.2 User authentication at the web interface 167 60 61 64 67 71 13 HTTP 13.1 13.2 13.3 13.4 13.5 and FTP filtering Conditions for HTTP and FTP filtering URL Rules Content Rating System (Kerio Web Filter) Web content filtering by word occurrence FTP Policy 169 170 170 177 181 185 14 Antivirus control 14.1 Conditions and limitations of antivirus scan 14.2 How to choose and setup antiviruses 14.3 HTTP and FTP scanning 14.4 Email scanning 14.5 Scanning of files transferred via Clientless SSL-VPN (Windows) 190 190 191 195 199 202 15 Definitions 15.1 IP Address Groups 15.2 Time Ranges 15.3 Services 15.4 URL Groups 204 204 205 207 211 16 User Accounts and Groups 16.1 Viewing and definitions of user accounts 16.2 Local user accounts 16.3 Local user database: external authentication and import of accounts 16.4 User accounts in Active Directory — domain mapping 16.5 User groups 214 215 217 227 229 235 17 Administrative settings 17.1 System configuration (Software Appliance / VMware Virtual Appliance) 17.2 Setting Remote Administration 17.3 Update Checking 239 239 240 241 18 Other 18.1 18.2 18.3 settings Routing table Universal Plug-and-Play (UPnP) Relay SMTP server 244 244 247 249 19 Status Information 19.1 Active hosts and connected users 19.2 Network connections overview 19.3 List of connected VPN clients 19.4 Alerts 251 251 258 262 263 20 Basic statistics 268 20.1 Volume of transferred data and quota usage 268 20.2 Interface statistics 270 21 Kerio 21.1 21.2 21.3 StaR - statistics and reporting Monitoring and storage of statistic data Settings for statistics and quota Connection to StaR and viewing statistics 274 274 276 279 22 Logs 22.1 22.2 22.3 22.4 22.5 22.6 22.7 22.8 22.9 22.10 22.11 22.12 22.13 22.14 Log settings Logs Context Menu Alert Log Config Log Connection Log Debug Log Dial Log Error Log Filter Log Http log Security Log Sslvpn Log Warning Log Web Log 282 282 286 289 289 291 292 294 296 297 299 301 304 304 306 23 Kerio 23.1 23.2 23.3 23.4 23.5 23.6 VPN VPN Server Configuration Configuration of VPN clients Interconnection of two private networks via the Internet (VPN tunnel) Exchange of routing information Example of Kerio VPN configuration: company with a filial office Example of a more complex Kerio VPN configuration 307 308 314 315 321 322 335 24 Kerio Clientless SSL-VPN (Windows) 360 24.1 Kerio Control SSL-VPN configuration 360 24.2 Usage of the SSL-VPN interface 362 25 Specific settings and troubleshooting 25.1 Configuration Backup and Transfer 25.2 Configuration files 25.3 Automatic user authentication using NTLM 25.4 FTP over Kerio Control proxy server 25.5 Internet links dialed on demand 363 363 364 365 369 371 26 Technical support 376 26.1 Essential Information 376 26.2 Tested in Beta version 377 A Legal Notices 378 B Used open source items 379 Glossary of terms 383 Index 390 Chapter Quick Checklist In this chapter you can find a brief guide for a quick setup of Kerio Control After this setup the firewall should be immediately available and able to share your Internet connection and protect your local network For a detailed guide refer to the separate Kerio Control — Step-byStep Configuration guide If you are unsure about any element of Kerio Control, simply look up an appropriate chapter in the manual For information about your Internet connection (such as your IP address, default gateway, DNS server, etc.) contact your ISP Note: In this guide, the expression firewall represents the host where Kerio Control is (or will be) installed The firewall needs at least one interface connected to the local network (e.g an Ethernet or WiFi network adapter) For Internet connection, another network adapter, USB ADSL modem, PPPoE, dial up or another facility is needed On Windows, test functionality of the Internet connection and of traffic among hosts within the local network before you run the Kerio control installation This test will reduce possible problems with debugging and error detections Run Kerio Control installation and in the wizard provide required basic parameters (for details, see chapter 2.4 or 2.7) Use Kerio Administration Console to connect to the firewall (see chapter 3) Set interface groups and basic traffic rules using the Network Rules Wizard (see chapter 7.1) Run the DHCP server and set required IP ranges including their parameters (subnet mask, default gateway, DNS server address/domain name) For details, see chapter 9.2 TIP: DHCP server can be configured automatically in accordance with LAN interface parameters Automatic configuration of DHCP server can now be enabled only in the Kerio Control Administration web interface (see chapter 3.1) Check DNS module settings Define the local DNS domain if you intend to use the hosts file and/or the DHCP server table For details, see chapter 9.1 Set user mapping from the Active Directory domain or create/import local user accounts and groups Set user access rights For details see chapter 16 8 Enable the intrusion prevention system (see chapter 8.1) Select an antivirus and define types of objects that will be scanned If you choose the integrated Sophos antivirus application, check automatic update settings and edit them if necessary External antivirus must be installed before it is set in Kerio Control, otherwise it is not available in the combo box 10 Define IP groups (chapter 15.1), time ranges (chapter 15.2) and URL groups (chapter 15.4), that will be used during rules definition (refer to chapter 15.2) 11 Create URL rules (chapter 13.2) Set Kerio Web Filter (chapter 13.3) and automatic configuration of web browsers (chapter 9.5) 12 Define FTP rules (chapter 13.5) 13 Using one of the following methods set TCP/IP parameters for the network adapter of individual LAN clients: • Automatic configuration — enable automatic DHCP configuration (set by default on most operating systems) Do not set any other parameters • Manual configuration — define IP address, subnet mask, default gateway address, DNS server address and local domain name Use one of the following methods to set the Web browser at each workstation: • Automatic configuration — activate the Automatically detect settings option (Internet Explorer) or specify URL for automatic configuration (other types of browsers) For details, refer to chapter 9.5 • Manual configuration — select type of connection via the local network or define IP address and appropriate proxy server port (see chapter 9.4) Chapter Introduction 2.1 What’s new in 7.0 Kerio Control 7.0 brings the following improvements: New product name — Kerio Control Kerio WinRoute Firewall is no longer just a network firewall New features added in versions 6.x and 7.0 make the software a complex tool combining features for local network security, remote network access as well as user Internet access control and monitoring The name Kerio Control is derived from the user access control feature Intrusion Detection and Prevention System (IPS/IDS) Kerio Control now integrates one of the most top used intrusion detection and prevention systems — Snort This system enhances security provided by the firewall and makes Kerio Control a UTM solution (Unified Threat Management) More details can be found in chapter 8.1 New integrated antivirus engine — Sophos Kerio Control includes an all-new antivirus engine — Sophos This scan engine offers extreme performance and includes a variety of innovative technologies designed to eliminate the threat of malware The antivirus will run as a 30 day trial upon initial installation When upgrading, the McAfee engine will automatically be replaced by the new Sophos engine More details can be found in chapter 14 MAC address filtering This new module in the firewall enables network traffic filtering by physical addresses (MAC addresses) of network devices Filtering of physical address helps for example prevent users from undesirable connections to the network or get around the firewall traffic policy by changing IP address of their device More details can be found in chapter 8.2 New licensing policy Licensing policy for Kerio Control has been changed Now it is possible to purchase licenses for customized number of users Refer to chapter for more information 10 Appendix B Used open source items http://download.kerio.com/archive/ KVNET — driver Kerio Virtual Network Interface driver for Linux (driver for the Kerio VPN virtual network adapter) Copyright © Kerio Technologies s.r.o Homepage: http://www.kerio.com/ Kerio Virtual Network Interface driver for Linux is distributed and licensed under GNU General Public License version The complete source code is available at: http://download.kerio.com/archive/ KVNET — API Kerio Virtual Network Interface driver for Linux API library (API library for the driver of the Kerio VPN virtual network adapter) Copyright © Kerio Technologies s.r.o Homepage: http://www.kerio.com/ Kerio Virtual Network Interface driver for Linux API library is distributed and licensed under GNU Lesser General Public License version The complete source code is available at: http://download.kerio.com/archive/ libcurl Copyright © 1996-2008 Daniel Stenberg libiconv libiconv converts from one character encoding to another through Unicode conversion Kerio Control include a modified version of this library distributed upon the GNU Lesser General Public License in version Copyright ©1999-2003 Free Software Foundation, Inc Author: Bruno Haible Homepage: http://www.gnu.org/software/libiconv/ Complete source code of the customized version of libiconv library is available at: http://download.kerio.com/archive/ libxml2 Copyright Copyright Copyright Copyright © © © © 1998-2003 Daniel Veillard All Rights Reserved 2000 Bjorn Reese and Daniel Veillard 2000 Gary Pennington and Daniel Veillard 1998 Bjorn Reese and Daniel Stenberg Netfilter4Win Netfilter4win is an implementation of the libnetfilter_queue interface for Windows It is distributed under GNU General Public License version Copyright © Kerio Technologies s.r.o 380 Copyright © 2005 Harald Welte Distribution package of complete source codes is available at: http://download.kerio.com/archive/ OpenSSL This product contains software developed by OpenSSL Project designed for OpenSSL Toolkit (http://www.openssl.org/) This product includes cryptographic software written by Eric Young This product includes software written by Tim Hudson Operating system of software appliances Software appliancesKerio Control Software Appliance and Kerio Control VMware Virtual Appliance are based on various open source software For detailed information on licences of all software used, refer to file /opt/kerio/winroute/doc/Acknowledgements available on the virtual appliance disk Distribution package of complete source codes is available at: http://download.kerio.com/archive/ PHP Copyright © 1999-2006 The PHP Group All rights reserved This product includes PHP software available for free at: http://www.php.net/software/ Prototype Framework in JavaScript Copyright © Sam Stephenson The Prototype library is freely distributable under the terms of a MIT license For details, see the Prototype website: http://www.prototypejs.org/ ptlib This product includes unmodified version of the ptlib library distributed under Mozilla Public License (MPL) The original source code is available at: http://h323plus.org/ Snort Snort is an open source network intrusion detection and prevention system (IDS/IPS) The distribution package includes the Snort system and the pcre and pthreads-win32 libraries The package is distributed under the GNU General Public License version Copyright © Kerio Technologies s.r.o Copyright © 2001-2008 Sourcefire Inc Copyright © 1998-2001 Martin Roesch Copyright © 1998 John E Bossom 381 Copyright © 1999-2005 The pthreads-win32 library authors team Copyright © 1997-2009 University of Cambridge Copyright © 2007-2008 Google Inc Distribution package of complete source codes is available at: http://download.kerio.com/archive/ zlib Copyright © Jean-Loup Gailly and Mark Adler 382 Glossary of terms ActiveX This Microsoft’s proprietary technology is used for creation of dynamic objects for web pages This technology provides many features, such as writing to disk or execution of commands at the client (i.e on the host where the Web page is opened) This technology provides a wide range of features, such as saving to disk and running commands at the client (i.e at the computer where the Web page is opened) Using ActiveX, virus and worms can for example modify telephone number of the dial-up ActiveX is supported only by Internet Explorer in Microsoft Windows operating systems Cluster A group of two or more workstations representing one virtual host (server) Requests to the virtual server are distributed among individual hosts in the cluster, in accordance with a defined algorithm Clusters empower performance and increase reliability (in case of dropout of one computer in the cluster, the virtual server keeps running) Connections A virtual bidirectional communication channel between two hosts See also TCP DDNS DDNS (Dynamic Domain Name System) is DNS with the feature of automatic update of records Default gateway A network device or a host where so called default path is located (the path to the Internet) To the address of the default gateway such packets are sent that include destination addresses which not belong to any network connected directly to the host and to any network which is recorded in the system routing table In the system routing table, the default gateway is shown as a path to the destination network 0.0.0.0 with the subnet mask 0.0.0.0 Note: Although in Windows the default gateway is configured in settings of the network interface, it is used for the entire operating system DHCP DHCP (Dynamic Host Configuration Protocol) Serves automatic IP configuration of computers in the network IP addresses are assigned from a scope Besides IP addresses, other parameters can be associated with client hosts, such as the default gateway address, DNS server address, local domain name, etc 383 Glossary of terms DMZ DMZ (demilitarized zone) is a reserved network area where services available both from the Internet and from the LAN are run (e.g a company’s public web server) DMZ provides an area, where servers accessible for public are be located separately, so they cannot be misused for cracking into the LAN More information can be found for example at Wikipedia DNS DNS (Domain Name System) A worldwide distributed database of Internet hostnames and their associated IP address Computers use Domain Name Servers to resolve host names to IP addresses Names are sorted in hierarchized domains Firewall Software or hardware device that protects a computer or computer network against attacks from external sources (typically from the Internet) In this guide, the word firewall represents the Kerio Control host FTP File Transfer Protocol The FTP protocol uses two types of TCP connection: control and data The control connection is always established by a client Two FTP modes are distinguished according to a method how connection is established: • active mode — data connection is established from the server to a client (to the port specified by the client) This mode is suitable for cases where the firewall is at the server’s side, however, it is not supported by some clients (e.g by web browsers) • passive mode — data connection is established also by the client (to the port required by the server) This mode is suitable for cases where the firewall is at the client’s side It should be supported by any FTP client Note: Kerio Control includes special support (protocol inspector) for FTP protocol Therefore, both FTP modes can be used on LAN hosts Gateway Network device or a computer connecting two different subnets If traffic to all the other (not specified) networks is routed through a gateway, it is called the default gateway See also default gateway Greylisting A method of protection of SMTP servers from spam If an email message sent by an unknown sender is delivered to the server, the server rejects it for the first time (so called temporary delivery error) Legitimate senders attempt resend the message after some time SMTP server lets the message in and considers the sender as trustworthy since then, not blocking their messages any longer Most spam senders try to send as great volume in as short time as possible and stay anonymous Therefore, they usually not repeat sending the message and focus on another SMTP server More information (in English) can be found for example at Wikipedia 384 Ident The Ident protocol is used for identification of user who established certain TCP connection from a particular (multi-user) system The Ident service is used for example by IRC servers, FTP servers and other services More information (in English) can be found for example at Wikipedia IDS/IPS IDS/IPS (Intrusion Detection System / Intrusion Prevention System) is a system of detection and prevention of network intrusions It can be used for protection of a particular computer or implemented on the Internet gateway for protection of the entire local network which uses this gateway for Internet connection The IDS/IPS system analyzes all network traffic, detecting and blocking possible known intrusions (e.g portscanning, DoS, etc.), and also analyzes suspicious activities, thus attempting to prevent even from unknown intrusion types IMAP Internet Message Access Protocol (IMAP) enables clients to manage messages stored on a mail server without downloading them to a local computer This architecture allows the user to access his/her mail from multiple locations (messages downloaded to a local host disk would not be available from other locations) IP address IP address is a unique 32-bit number used to identify the host in the Internet It is specified by numbers of the decimal system (0-255) separated by dots (e.g 195.129.33.1) Each packet contains information about where it was sent from (source IP address) and to which address it is to be delivered (destination IP address) IPSec IPSec (IP Security Protocol) is an extended IP protocol which enables secure data transfer It provides services similar to SSL/TLS, however, these services are provided on a network layer IPSec can be used for creation of encrypted tunnels between networks (VPN) — so called tunnel mode, or for encryption of traffic between two hosts— so called transport mode Kerberos Kerberos is a system used for secure user authentication in network environments It was developed at the MIT university and it is a standard protocol used for user authentication under Windows 2000/2003/2008 Users use their passwords to authenticate to the central server (KDC, Key Distribution Center) and the server sends them encrypted tickets which can be used to authenticate to various services in the network In case of the Windows 2000/2003/2008 domains, function of KDC is provided by the particular domain server LDAP LDAP (Lightweight Directory Access Protocol) is an Internet protocol used to access directory services Information about user accounts and user rights, about hosts included in the network, etc are stored in the directories 385 Glossary of terms MAC address MAC address (MAC = Media Access Control, also known as physical or hardware address) is a unique identifier of network adapters In case of Ethernet and WiFi it has 48 bits (6 bytes) and it is recorded as a six of hexadecimal numbers separated by colons or dashes The Kerio Control administration interface uses the format with colons — e.g.: 00:1a:cd:22:6b:5f NAT NAT (Network Address Translation ) stands for substitution of IP addresses in packets passing through the firewall: • source address translation (Source NAT, SNAT ) — in packets going from local networks to the Internet source (private) IP addresses are substituted with the external (public) firewall address Each packet sent from the local network is recorded in the NAT table If any packet incoming from the Internet matches with a record included in this table, its destination IP address will be substituted by the IP address of the appropriate host within the local network and the packet will be redirected to this host Packets that not match with any record in the NAT table will be dropped • destination address translation (Destination NAT, DNAT, it is also called port mapping) — is used to enable services in the local network from the Internet If any packet incoming from the Internet meets certain requirements, its IP address will be substituted by the IP address of the local host where the service is running and the packet is sent to this host The NAT technology enables connection from local networks to the Internet using a single IP address All hosts within the local network can access the Internet directly as if they were on a public network (certain limitations are applied) Services running on local hosts can be mapped to the public IP address Detailed description (in English) can be found for example at Wikipedia Network adapter The equipment that connects hosts to a traffic medium It can be represented by an Ethernet adapter, WiFi adapter, by a modem, etc Network adapters are used by hosts to send and receive packets They are also referred to throughout this document as a network interface P2P network Peer-to-Peer (P2P) networks are world-wide distributed systems, where each node can represent both a client and a server These networks are used for sharing of big volumes of data (this sharing is mostly illegal) DirectConnect and Kazaa are the most popular ones Packet Basic data unit transmitted via computer networks Packets consist of a header which include essential data (i.e source and destination IP address, protocol type, etc.) and of the data body, Data transmitted via networks is divided into small segments, or packets If an error is detected in any packet or a packet is lost, it is not necessary to repeat the entire transmission process, only the particular packet will be re-sent 386 Policy routing Advanced routing technology using additional information apart from IP addresses, such as source IP address, protocols etc See also routing table POP3 Post Office Protocol is an email accessing protocol that allows users to download messages from a server to a local disk It is suitable for clients who don’t have a permanent connection to the Internet Port 16-bit number (1-65535) used by TCP and UDP for application (services) identification on a given computer More than one application can be run at a host simultaneously (e.g WWW server, mail client, FTP client, etc.) Each application is identified by a port number Ports 1-1023 are reserved and used by well known services (e.g 80 = WWW) Ports above 1023 can be freely used by any application PPTP Microsoft’s proprietary protocol used for design of virtual private networks See chapters and sections concerning VPN Private IP addresses Local networks which not belong to the Internet (private networks) use reserved ranges of IP addresses (private addresses) These addresses cannot be used in the Internet This implies that IP ranges for local networks cannot collide with IP addresses used in the Internet The following IP ranges are reserved for private networks: • 10.0.0.0/255.0.0.0 • 172.16.0.0/255.240.0.0 • 192.168.0.0/255.255.0.0 Protocol inspector Kerio Control’s subroutine, which is able to monitor communication using application protocols (e.g HTTP, FTP, MMS, etc.) Protocol inspection is used to check proper syntax of corresponding protocols (mistakes might indicate an intrusion attempt), to ensure its proper functionality while passing through the firewall (e.g FTP in the active mode, when data connection to a client is established by a server) and to filter traffic by the corresponding protocol (e.g limited access to Web pages classified by URLs, anti-virus check of downloaded objects, etc.) Unless traffic rules are set to follow a different policy, each protocol inspector is automatically applied to all connections of the relevant protocol that are processed through Kerio Control Proxy server Older, but still wide-spread method of Internet connection sharing Proxy servers connect clients and destination servers A proxy server works as an application and it is adapted for several particular application protocols (i.e HTTP, FTP, Gopher, etc.) It requires also support in the corresponding client application (e.g web browser) Compared to NAT, the range of featured offered is not so wide 387 Glossary of terms Router A computer or device with one or more network interfaces between which it handles packets by following specific rules (so called routes) The router’s goal is to forward packets only to the destination network, i.e to the network which will use another router which would handle it on This saves other networks from being overloaded by packets targeting another network See also routing table Routing table The information used by routers when making packet forwarding decisions (so called routes) Packets are routed according to the packet’s destination IP address On Windows, routing table can be printed by the route print command, while on Unix systems (Linux, Mac OS X, etc.) by the route command Script A code that is run on the Web page by a client (Web browser) Scripts are used for generating of dynamic elements on Web pages However, they can be misused for ads, exploiting of user information, etc Modern Web browsers usually support several script languages, such as JavaScript and Visual Basic Script (VBScript) SMTP Simple Mail Transfer Protocol is used for sending email between mail servers The SMTP envelope identifies the sender/recipient of an email Spam Undesirable email message, usually containing advertisements Spoofing Spoofing means using false IP addresses in packets This method is used by attackers to make recipients assume that the packet is coming from a trustworthy IP address SSL SSL is a protocol used to secure and encrypt network communication SSL was originally designed in order to guarantee secure transfer of Web pages over HTTP protocol Nowadays, it is used by almost all standard Internet protocols (SMTP, POP3, IMAP, LDAP, etc.) At the beginning of communication, an encryption key is requested and transferred using asymmetrical encryption This key is then used to encrypt (symmetrically) the data Subnet mask Subnet mask divides an IP address in two parts: network mask and an address of a host in the network Mask have the same form as IP addresses (i.e 255.255.255.0), however, its value is needed to be understood as a 32-bit number with certain number of ones on the left end and zeros as the rest The mask cannot have an arbitrary value Number one in a subnet mask represents a bit of the network address and zero stands for a host’s address bit All hosts within a particular subnet must have identical subnet mask and network part of IP address 388 TCP Transmission Control Protocol is a transmission protocol which ensures reliable and sequential data delivery It establishes so called virtual connections and provides tools for error correction and data stream control It is used by most of applications protocols which require reliable transmission of all data, such as HTTP, FTP, SMTP, IMAP, etc TCP protocol uses the following special control information — so called flags: • SYN (Synchronize) — connection initiation (first packet in each connection) • ACK (Acknowledgement) — acknowledgement of received data • RST (Reset) — request on termination of a current connection and on initiation of a new one • URG (Urgent) — urgent packet • PSH (Push) — request on immediate transmission of the data to upper TCP/IP layers • FIN (Finalize) — connection finalization TCP/IP Name used for all traffic protocols used in the Internet (i.e for IP, ICMP, TCP, UDP, etc.) TCP/IP does not stand for any particular protocol! TLS Transport Layer Security New version of SSL protocol This version is approved by the IETF and it is accepted by all the top IT companies (i.e Microsoft Corporation) UDP User Datagram Protocol is a transmission protocol which transfers data through individual messages (so called datagrams) It does not establish new connections nor it provides reliable and sequential data delivery, nor it enables error correction or data stream control It is used for transfer of small-sized data (i.e DNS queries) or for transmissions where speed is preferred from reliability (i.e realtime audio and video files transmission) VPN Virtual Private Network, VPN represents secure interconnection of private networks (i.e of individual offices of an organization) via the Internet Traffic between both networks (so called tunnel) is encrypted This protects networks from tapping VPN incorporates special tunneling protocols, such as PPTP (Point-to-Point Tunneling Protocol) and Microsoft’s IPSec Kerio Control contains a proprietary VPN implementation called Kerio VPN WINS The WINS (Windows Internet Name Service) service is used for resolution of hostnames to IP addresses within Microsoft Windows networks 389 Index A Active Directory 220 domain mapping 229 import of user accounts 228 mapping of other domains 233 administration 30 Administration Console 32 Administration web interface 31 firewall’s console 28 remote 19, 240 Administration Console 30 columns 35 views setup 35 alerts 263 overview 266 settings 263 templates 265 anti-spoofing 119 antivirus check 12, 190 conditions 190 external antivirus 193 file size limits 194 HTTP and FTP 195 protocols 194 rules for file scanning 198 settings 191 SMTP and POP3 199 Sophos 191 B bandwidth limiter 153 configuration 153 detection principle 158 beta version 377 blacklist 114 BOOTP 140 C cache DNS 126 HTTP 147 location 21, 147 size 148 URL exceptions 150 certificate SSL-VPN 361 VPN server 310 Web Interface 165 Clientless SSL-VPN 360 antivirus check 362 certificate 361 configuration 361 deployment 362 port 361 traffic rule 361 user right 222, 238 configuration files 364 manipulation 365 conflict port 12 software 11 system services 17 connection failover 67 D DDNS 142 DHCP 131 automatic configuration 132 BOOTP 140 default options 133 IP scopes 132 lease reservations 137 leases 139 manual configuration 132 RAS 140 390 proxy server 144 URL Rules 170 dial-up 64 dialing scripts 21, 58 hangup if idle 58 settings 56 dial on demand 64, 371 unintentional dialing 374 DNS 124 DNS Forwarder 124 forwarding rules 128 hosts file 126 local domain 127 dynamic DNS 142 E Engine 26 Engine Monitor I IDS/IPS 112 import user accounts 228 installation 13 Appliance 22 Windows 13 interface throughput charts 51 anti-spoofing 119 Dial-In 53 groups 52 Internet connection 60 back-up 67 dial on demand 64, 371 leased line 61 load balancing 71 unintentional dialing 374 intrusion detection 112 prevention 112 intrusion detection 112 exceptions 116 protocols 116 intrusion prevention 112 26, 27 F FAT32 17 filtering FTP 169 HTTP 169 MAC addresses 116 network communication FTP 169, 210, 369 filtering rules 185 full cone NAT 93 77 G groups interface throughput charts IP address 204 of forbidden words 183 URL 211 user groups 214, 220, 235 H H.323 210 hairpinning 110 HTTP 169 cache 147 content rating 177 filtering by words 181 logging of requests 176 52 K Kerberos 220 Kerio Administration Console 27 Kerio Web Filter 177 deployment 179 parameters configuration 177 website categories 180 L language Administration Console 31 Administration web interface of alerts 266 license 37 expiration 49 information 39 391 31 Index license key 37 license types 38 optional components 38 license key 49 load balancing 71 optimization 105 reserved link 103 localizations Administration Console 31 Administration web interface of alerts 266 log 282 Alert 289 Config 289 Connection 291 Debug log 292 Dial 294 Error 296 file name 283 Filter 297 highlighting 288 Http 299 location 283 rotation 283 Security 301 settings 282 Sslvpn 304 Syslog 284 Warning 304 Web 306 deployment 365 Kerio Control configuration O OVF 31 N NAT 91, 97 full cone NAT 93, 108 NT domain import of user accounts 228 NTFS 17 NTLM 161, 162 configuration of web browsers 23 P P2P Eliminator 120 Peer-to-Peer (P2P) networks 120 allow 222, 238 deny 120 detection 255 ports 122 speed limit 120 policy routing 103 port 12, 89 Administration Console 34 SSL-VPN 361 Web Interface 31 port mapping 80, 94, 98 probe hosts 70, 75 product registration 37 protocol inspector 96, 209, 210 retirement 107 proxy server 144, 369 parent 146 Q Quick Setup quota settings 276 speed limit 153 M MAC address 116 media hairpinning 110 multihoming 100 368 366 R ranges time 205, 206 RAS 140 registration 37 at the Kerio website 48 of purchased product 44 trial version 41 relay SMTP server 249 routing table 244 static routes 245 392 S service 89, 207 SIP 210 SSL-VPN 360 antivirus check 362 certificate 361 configuration 361 deployment 362 port 361 traffic rule 361 user right 222, 238 StaR 274 conditions for statistics 275 enable/disable gathering of statistic data 274 overview 279 settings 276 statistics 268 conditions for statistics 275 interface throughput charts 270 in the Web interface 274 Kerio StaR 274 monitoring 274 overview 279 settings 276 user groups 268 status information 251 active hosts 251 connections 258 subscription 38 expiration 49 Syslog 284 Facility 285 Severity 285 system requirements 13 T technical support 376 traffic policy 77 created by wizard 82 default rule 83 definition 84 exceptions 102 Internet access limiting 101 wizard 77 transparent proxy Trial ID 43 TTL 147, 151 147 U uninstallation Windows 22 update antivirus 192 Kerio Control 241 upgrade Appliance 26 automatic update 241 Windows 20 UPnP 247 settings 247 system services 17 user accounts 214 definition 215 domain mapping 229 in traffic rules 105 local 216, 217 mapped 217 templates 216, 219 user authentication 160 authentication methods automatic login 226 configuration 161 219 V VMware 23 VPN 307 client 222, 238, 314 configuration example 322 Kerio Clientless SSL-VPN 360 Kerio VPN 307 routing 321 server 52, 308 SSL certificate 310 tunnel 315 VPN client 314 DNS 311 routing 313 393 static IP address 227 WINS 312 VPN tunnel 315 configuration 315 DNS 318 routing 318 traffic policy 320 W Web Interface 164, 164 Web interface automatic configuration configuration script 147 Web Interface SSL certificate 165 user authentication 167 Windows Internet Connection Sharing security center 18 Windows Firewall 17, 18 wizard configuration 18 traffic rules 77 146 394 17, 18 ... interfaces Kerio StaR and Kerio Clientless SSL-VPN are focused in a standalone document, Kerio Control — User’s Guide The Kerio VPN Client application is described in a stand-alone document Kerio. .. required for smooth functionality of Kerio Control Installation and Basic Configuration Guide Once the installation program is launched (i.e by kerio- control- 7.0. 0-1 000-win32.exe), it is possible to... ESX/ESXi from the URL of the OVF file — for example: http://download .kerio. com/dwn /control/ kerio- control- appliance-7.0. 0-1 234-linux.ovf VMware ESX/ESXi automatically downloads the OVF configuration