Kerio Tech WinR oute Firewall 6 User Manual

Administrator’s Guide

Kerio Technologies s.r.o.

 Kerio Technologies s.r.o. All rights reserved.

This guide provides detailed description on configuration and administration of Kerio
WinRoute Firewall, version 6.7.1. All additional modifications and updates reserved. User
interfaces Kerio StaR and Kerio Clientless SSL-VPN are focused in a standalone document,
Kerio WinRoute Firewall — User’s Guide. The Kerio VPN Client application is described in
a stand-alone document Kerio VPN Client — User’s Guide.

For current version of the product, go to http://www.kerio.com/firewall/download. For
other documents addressing the product, see http://www.kerio.com/firewall/manual.

Information regarding registered trademarks and trademarks are provided in appendix A.

Products Kerio WinRoute Firewall and Kerio VPN Client include open source software. To
view the list of open source items included, refer to attachment B.

Contents

1 Quick Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.1 What’s new in 6.7.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.2 Conflicting software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.3 System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.4 Installation - Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.5 Initial configuration wizard (Windows) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.6 Upgrade and Uninstallation - Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.7 Installation - Software Appliance and VMware Virtual Appliance . . . . . . . . . . . 20

2.8 Upgrade - Software Appliance / VMware Virtual Appliance . . . . . . . . . . . . . . . . 23

2.9 WinRoute Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.10 WinRoute Engine Monitor (Windows) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.11 The firewall’s console (Software Appliance / VMware Virtual Appliance) . . . . 25

3 WinRoute Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3.1 Administration Console - the main window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3.2 Administration Console - view preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4 Product Registration and Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

4.1 License types and number of users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

4.2 License information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

4.3 Registration of the product in the Administration Console . . . . . . . . . . . . . . . . 35

4.4 Product registration at the website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

4.5 Subscription / Update Expiration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

4.6 User counter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

5 Network interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

6 Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

6.1 Persistent connection with a single link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

6.2 Connection with a single leased link - dial on demand . . . . . . . . . . . . . . . . . . . . . 57

6.3 Connection Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

6.4 Network Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

7 Traffic Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

7.1 Network Rules Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

7.2 How traffic rules work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

7.3 Definition of Custom Traffic Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

7.4 Basic Traffic Rule Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

3

7.5 Policy routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

7.6 User accounts and groups in traffic rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

7.7 Partial Retirement of Protocol Inspector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

7.8 Use of Full cone NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

7.9 Media hairpinning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

8 Configuration of network services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

8.1 DNS module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

8.2 DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

8.3 Dynamic DNS for public IP address of the firewall . . . . . . . . . . . . . . . . . . . . . . . 119

8.4 Proxy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

8.5 HTTP cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

9 Bandwidth Limiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

9.1 How the bandwidth limiter works and how to use it . . . . . . . . . . . . . . . . . . . . . 130

9.2 Bandwidth Limiter configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

9.3 Detection of connections with large data volume transferred . . . . . . . . . . . . 135

10 User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

10.1 Firewall User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

11 Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

11.1 Web interface preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

11.2 User authentication at the web interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

12 HTTP and FTP filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

12.1 Conditions for HTTP and FTP filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

12.2 URL Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

12.3 Content Rating System (Kerio Web Filter) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

12.4 Web content filtering by word occurrence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

12.5 FTP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

13 Antivirus control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

13.1 Conditions and limitations of antivirus scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

13.2 How to choose and setup antiviruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

13.3 HTTP and FTP scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

13.4 Email scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

13.5 Scanning of files transferred via Clientless SSL-VPN (Windows) . . . . . . . . . . . 178

14 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

14.1 IP Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

14.2 Time Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

14.3 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

14.4 URL Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

4

15 User Accounts and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

15.1 Viewing and definitions of user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

15.2 Local user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

15.3 Local user database: external authentication and import of accounts . . . . . 203

15.4 User accounts in Active Directory — domain mapping . . . . . . . . . . . . . . . . . . . 204

15.5 User groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

16 Administrative settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

16.1 System configuration (Software Appliance / VMware Virtual Appliance) . . 214

16.2 Setting Remote Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

16.3 Update Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

17 Advanced security features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

17.1 P2P Eliminator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

17.2 Special Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

18 Other settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

18.1 Routing table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

18.2 Universal Plug-and-Play (UPnP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

18.3 Relay SMTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

19 Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

19.1 Active hosts and connected users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

19.2 Network connections overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

19.3 List of connected VPN clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

19.4 Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

20 Basic statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

20.1 Volume of transferred data and quota usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

20.2 Interface statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

21 Kerio StaR - statistics and reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

21.1 Monitoring and storage of statistic data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

21.2 Settings for statistics and quota . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

21.3 Connection to StaR and viewing statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

22 Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

22.1 Log settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

22.2 Logs Context Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

22.3 Alert Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

22.4 Config Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

22.5 Connection Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

22.6 Debug Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

22.7 Dial Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

22.8 Error Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

5

22.9 Filter Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

22.10 Http log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

22.11 Security Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

22.12 Sslvpn Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

22.13 Warning Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

22.14 Web Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

23 Kerio VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

23.1 VPN Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

23.2 Configuration of VPN clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

23.3 Interconnection of two private networks via the Internet (VPN tunnel) . . . 291

23.4 Exchange of routing information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

23.5 Example of Kerio VPN configuration: company with a filial office . . . . . . . . . 297

23.6 Example of a more complex Kerio VPN configuration . . . . . . . . . . . . . . . . . . . . 310

24 Kerio Clientless SSL-VPN (Windows) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

24.1 Configuration of WinRoute’s SSL-VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

24.2 Usage of the SSL-VPN interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

25 Specific settings and troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

25.1 Configuration Backup and Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

25.2 Configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

25.3 Automatic user authentication using NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

25.4 FTP on WinRoute’s proxy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

25.5 Internet links dialed on demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

26 Technical support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

26.1 Essential Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

26.2 Tested in Beta version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

A Legal Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

B Used open source items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Glossary of terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

6

Chapter 1

Quick Checklist

In this chapter you can find a brief guide for a quick setup of Kerio WinRoute Firewall (referred
to as “WinRoute” within this document). After this setup the firewall should be immediately
available and able to share your Internet connection and protect your local network. For
a detailed guide refer to the separate WinRoute — Step-by-Step Configuration guide.

If you are not sure how to set any of the Kerio WinRoute Firewall functions or features, look up
the appropriate chapter in this manual. For information about your Internet connection (such
as your IP address, default gateway, DNS server, etc.) contact your ISP.

Note: In this guide, the expression firewall represents the host where WinRoute is (or will be)
installed.

1. The firewall must include at least two interfaces — one must be connected to the local
network (e.g. Ethernet or WiFi network adapter), another must be connected to the Internet
(e.g. Ethernet or WiFi network adapter, USB ADSL modem, analog modem or an ISDN
adapter).

On Windows, test functionality of the Internet connection and of traffic among hosts within
the local network before you run the WinRoute installation. This test will reduce possible
problems with debugging and error detections.

2. Run WinRoute installation and in the wizard provide required basic parameters (for details,
see chapter

3. Set interface groups and basic traffic rules using the Network Rules Wizard (see chap­ter 7.1).

4. Run the DHCP server and set required IP ranges including their parameters (subnet mask,
default gateway, DNS server address/domain name). For details, see chapter 8.2.

5. Check DNS module settings. Define the local DNS domain if you intend to scan the hosts
file and/or the DHCP server table. For details, see chapter 8.1.

6. Set user mapping from the Active Directory domain or create/import local user accounts
and groups. Set user access rights. For details see chapter 15.

7. Define IP groups (chapter 14.1), time ranges (chapter 14.2) and URL groups (chapter 14.4),
that will be used during rules definition (refer to chapter 14.2).

8. Create URL rules (chapter 12.2) and set the Kerio Web Filter module (chapter 12.3). Set
HTTP cache and automatic configuration of browsers (chapter 8.5). Define FTP rules (chap­ter 12.5).

2.4 or 2.7).

7

Chapter 1 Quick Checklist

9. Select an antivirus and define types of objects that will be scanned.

If you choose the integrated McAfee antivirus application, check automatic update settings
and edit them if necessary.

External antivirus must be installed before it is set in WinRoute, otherwise it is not available
in the combo box.

10. Using one of the following methods set TCP/IP parameters for the network adapter of
individual LAN clients:

• Automatic configuration — activate the Obtain an IP address automatically option.
Do not set any other parameters.

• Manual configuration — define IP address, subnet mask, default gateway address,
DNS server address and local domain name.

Use one of the following methods to set the Web browser at each workstation:

• Automatic configuration — activate the Automatically detect settings option (Inter-
net Explorer) or specify URL for automatic configuration (other types of browsers).

For details, refer to chapter 8.5.

• Manual configuration — select type of connection via the local network or define
IP address and appropriate proxy server port (see chapter 8.4).

8

Chapter 2

Introduction

2.1 What’s new in 6.7.1

In version 6.7.1, WinRoute brings the following new features:

Kerio WinRoute Firewall Software Appliance / VMware Virtual Appliance

Kerio WinRoute Firewall is now available as a so called software appliance (Software Ap­pliance / VMware Virtual Appliance). This appliance is distributed as a full installation

package with the firewall and operating system and can be installed on a physical or
virtual computer without an operating system. Software Appliance cannot be installed
on a computer with another operating system. Installation package of the standalone
product for installation on Linux is not available.
Kerio WinRoute Firewall in the Software Appliance / VMware Virtual Appliance edition
provides the same features as the Windows version, only with the Kerio Clientless SSL-
VPN interface missing.

Web administration interface (Web Administration)

The new Web Administration interface allows both remote and local administration of
the firewall without the need to install the Kerio Administration Console. This interface
allows configuration of crucial WinRoute parameters — the interface, traffic policy, HTTP
and FTP filtering rules, user accounts and groups, etc. However, the Kerio Administration
Console is still available and allow setting of all configuration options.
The Web Administration interface is available at https://server:4081/admin (server
stands for the firewall name or IP address and 4081 for the default port of its web inter­face).
Refer to chapter 3 for more information.

Exporting and Importing Configuration

WinRoute now includes also a special backup-and-recovery tool which allows to back up
and recover full configuration including local user accounts and SSL certificates. These
functions allow easy and quick recovery of the firewall for cases of hardware failure,
transfer to another computer and cloning of an identical configuration for multiple fire­walls. To export or import configuration, go to the Web Administration interface.
More details can be found in chapter

Kerio Web Filter, the new web page rating module

Kerio Web Filter is a special module, used for rating of web pages in accordance to their
content categories. In WinRoute, it replaces the ISS OrangeWeb Filter module. The way of
how filtering rules are created is the same as before.
More details can be found in chapter 12.3.

25.1.

9

Chapter 2 Introduction

Support for Windows 7

Kerio WinRoute Firewall now includes full support for the new operating system Microsoft
Windows 7.

2.2 Conflicting software

WinRoute can be run with most of common applications. However, there are certain applica­tions that should not be run at the same host as WinRoute for this could result in collisions.

The computer where WinRoute is installed (the host) can be also used as a workstation. How­ever, it is not recommended — user interaction may affect performance of the operating sys­tem which affects WinRoute performance badly.

Collision of low-level drivers

WinRoute collides with system services and applications the low-level drivers of whose
use a similar or an identical technology. The security log contains the following types of
services and applications:

• The Internet Connection Firewall / Internet Connection Sharing system service.
WinRoute can detect and automatically disable this service.

• The system service Routing and Remote Access Service (RRAS) in Windows Server
operating systems. This service allows also sharing of Internet connection (NAT).
WinRoute can detect if NAT is active in the RRAS service; if it is, a warning is dis­played. In reaction to the alert message, the server administrator should disable
NAT in the RRAS configuration.
If NAT is not active, collisions should be avoided and WinRoute can be used hand
in hand with the RRAS service.

• Network firewalls — e.g. Microsoft ISA Server.

• Personal firewalls, such as Sunbelt Personal Firewall, Zone Alarm, Norton Personal

Firewall, etc.

• Software designed to create virtual private networks (VPN) — i.e. software appli­cations developed by the following companies: CheckPoint, Cisco Systems, Nortel,
etc. There are many applications of this type and their features vary from vendor
to vendor.
Under proper circumstances, use of the VPN solution included in WinRoute is
recommended (for details see chapter
a particular VPN server or VPN client with WinRoute trial version or to contact
our technical support (see chapter 26).
Note: VPN implementation included in Windows operating system (based on the
PPTP protocol) is supported by WinRoute.

23). Otherwise, we recommend you to test

Port collision

Applications that use the same ports as the firewall cannot be run at the WinRoute host
(or the configuration of the ports must be modified).
If all services are running, WinRoute uses the following ports:

10

2.3 System requirements

• 53/UDP — DNS module,

• 67/UDP — DHCP server,

• 1900/UDP — the SSDP Discovery service,

• 2869/TCP — the UPnP Host service.

The SSDP Discovery and UPnP Host services are included in the UPnP support
(refer to chapter 18.2).

• 44333/TCP+UDP — traffic between Kerio Administration Console and WinRoute
Firewall Engine. This service cannot be stopped.

The following services use corresponding ports by default. Ports for these services can
be changed.

• 443/TCP — server of the SSL-VPN interface (only in WinRoute on Windows — see
chapter 24),

• 3128/TCP — HTTP proxy server (see chapter 8.4),

• 4080/TCP — web interface of the firewall (refer to chapter 11),

• 4081/TCP — secured (SSL-encrypted) version of the firewall’s web interface (see

chapter 11) ,

• 4090/TCP+UDP — proprietary VPN server (for details refer to chapter 23).

Antivirus applications

Most of the modern desktop antivirus programs (antivirus applications designed to pro­tect desktop workstations) scans also network traffic — typically HTTP, FTP and email
protocols. WinRoute also provides with this feature which may cause collisions. Therefore
it is recommended to install a server version of your antivirus program on the WinRoute
host. The server version of the antivirus can also be used to scan WinRoute’s network
traffic or as an additional check to the integrated antivirus McAfee (for details, see chap­ter 13).
If the antivirus program includes so called realtime file protection (automatic scan of
all read and written files), it is necessary to exclude directories cache (HTTP cache in
WinRoute see chapter
antivirus to check objects downloaded via HTTP or FTP protocols (see chapter 13.3), the
cache directory can be excluded with no risk — files in this directory have already been
checked by the antivirus.
The McAfee integrated antivirus plug-in does not interact with antivirus application in­stalled on the WinRoute host (provided that all the conditions described above are met).

8.5) and tmp (used for antivirus check). If WinRoute uses an

2.3 System requirements

Requirements on minimal hardware parameters of the host where WinRoute will be installed:

• CPU 1 GHz,

• 1 GB RAM,

• Two network interfaces (including dial-ups).

For Windows:

11

Chapter 2 Introduction

• 50 MB free disk space for installation of Kerio WinRoute Firewall.

• Disk space for statistics (see chapter 21) and logs (in accordance with traffic flow and

logging level — see chapter 22).

• to keep the installed product (especially its configuration files) as secure as possible,
it is recommended to use the NTFS file system.

For Kerio WinRoute Firewall Software Appliance:

• Minimum 3 GB hard disk.

• No operating system is required to be installed on the computer. Any existing operat-

ing system will be removed from the computer.

For Kerio WinRoute Firewall VMware Virtual Appliance:

• VMware Player, VMware Workstation or VMware Server.

• 3 GB free disk space.

The following browsers can be used to access the WinRoute (Kerio StaR — see chapter 21 and
Kerio SSL-VPN — see chapter 24) web services:

• Internet Explorer 7 or higher,

• Firefox 2 or higher,

• Safari 3 or higher.

2.4 Installation - Windows

Installation packages

Kerio WinRoute Firewall is distributed in two editions: one is for 32-bit sys-
tems and the other for 64-bit systems (see the product’s download page:

http://www.kerio.com/firewall/download).

The 32-bit edition (the “win32” installation package) supports the following operating systems:

• Windows 2000,

• Windows XP (32 bit),

• Windows Server 2003 (32 bit),

• Windows Vista (32 bit),

• Windows Server 2008 (32 bit).

The 64-bit edition (the “win64” installation package) supports the following operating systems:

• Windows XP (64 bit),

• Windows Server 2003 (64 bit),

• Windows Vista (64 bit),

• Windows Server 2008 (64 bit).

Older versions of Windows operating systems are not supported.

12

2.4 Installation - Windows

Note:

1. WinRoute installation packages include the Kerio Administration Console. The separate
Kerio Administration Console installation package (file kerio-kwf-admin*.exe) is de-

signed for full remote administration from another host. This package is identical both for
32-bit and 64-bit Windows systems. For details on WinRoute administration, see chapter 3.

2. For correct functionality of the Kerio StaR interface (see chapter 21), it is necessary that
the WinRoute host’s operating system supports all languages that would be used in the
Kerio StaR interface. Some languages (Chinese, Japanese, etc.) may require installation of
supportive files. For details, refer to documents regarding the corresponding operating
system.

Steps to be taken before the installation

Install WinRoute on a computer which is used as a gateway connecting the local network and
the Internet. This computer must include at least one interface connected to the local network
(Ethernet, WiFi, etc.) and at least one interface connected to the Internet. You can use either
a network adapter (Ethernet, WiFi, etc.) or a modem (analog, ISDN, etc.) as an Internet interface.

We recommend you to check through the following items before you run WinRoute installation:

• Time of the operating system should be set correctly (for timely operating system and
antivirus upgrades, etc.),

• The latest service packs and any security updates should be applied,

• TCP/IP parameters should be set for all available network adapters,

• All network connections (both to the local network and to the Internet) should function

properly. You can use for example the ping command to detect time that is needed
for connections.

These checks and pre-installation tests may protect you from later problems and complica­tions.

Note: Basic installation of all supported operating systems include all components required
for smooth functionality of WinRoute.

Installation and Basic Configuration Guide

Once the installation program is launched (i.e. by kerio-kwf-6.6.0-5700-win32.exe), it is
possible to select a language for the installation wizard. Language selection affects only the
installation, language of the user interface can then be set separately for individual WinRoute
components.

In the installation wizard, you can choose either Full or Custom installation. Custom mode will
let you select optional components of the program:

13

Chapter 2 Introduction

Figure 2.1 Installation — customization by selecting optional components

• Kerio WinRoute Firewall Engine — core of the application.

• VPN Support — proprietary VPN solution developed by Kerio Technologies (Kerio VPN).

• Administration Console — the Kerio Administration Console application (universal con-

sole for all server applications of Kerio Technologies) including WinRoute administra­tion tools.

• Help files — this manual in the HTML Help format. For help
files details, see Kerio Administration Console — Help (available at

http://www.kerio.com/firewall/manual).

Go to chapter 2.9 for a detailed description of all WinRoute components. For detailed descrip­tion on the proprietary VPN solution, refer to chapter 23.

Having completed this step, you can start the installation process. All files will be copied to
the hard disk and all the necessary system settings will be performed. The initial Wizard will
be run automatically after your first login (see chapter 2.5).

Under usual circumstances, a reboot of the computer is not required after the installation (a
restart may be required if the installation program rewrites shared files which are currently in
use). This will install the WinRoute low-level driver into the system kernel. WinRoute Engine
will be automatically launched when the installation is complete. The engine runs as a service.

Note:

1. If you selected the Custom installation mode, the behavior of the installation program will
be as follows:

14

2.4 Installation - Windows

• all checked components will be installed or updated,

• all checked components will not be installed or will be removed

During an update, all components that are intended to remain must be ticked.

2. The installation program does not allow to install the Administration Console separately.
Installation of the Administration Console for the full remote administration requires
a separate installation package (file kerio-kwf-admin*.exe).

Protection of the installed product

To provide the firewall with the highest security possible, it is necessary to ensure that unde­sirable (unauthorized) persons has no access to the critical files of the application, especially
to configuration files. If the NTFS system is used, WinRoute refreshes settings related to access
rights to the directory (including all subdirectories) where the firewall is installed upon each
startup. Only members of the Administrators group and local system account (SYSTEM) are
assigned the full access (read/write rights), other users are not allowed access the directory.

Warning

If the FAT32 file system is used, it is not possible to protect WinRoute in the way suggested
above. For this reason, it is recommended to install WinRoute only on computers which use
the NTFS file system.

Conflicting Applications and System Services

The WinRoute installation program detects applications and system services that might con­flict with the WinRoute Firewall Engine.

1. Windows Firewall’s system components1and Internet Connection Sharing.

These components provide the same low-level functions as WinRoute. If they are run­ning concurrently with WinRoute, the network communication would not be functioning
correctly and WinRoute might be unstable. Both components are run by the Windows
Firewall / Internet Connection Sharing system service.2.

Warning

To provide proper functionality of WinRoute, it is necessary that the Internet Connection
Firewall / Internet Connection Sharing detection is stopped and forbidden!

1

In Windows XP Service Pack 1 and older versions, the integrated firewall is called Internet Connection Firewall.

2

In the older Windows versions listed above, the service is called Internet Connection Firewall / Internet Connection

Sharing.

15

Chapter 2 Introduction

2. Universal Plug and Play Device Host and SSDP Discovery Service

The services support UPnP (Universal Plug and Play) in the Windows XP, Windows
Server 2003, Windows Vista and Windows Server 2008 operating systems. However, these
services collide with the UPnP support in WinRoute (refer to chapter 18.2).

The WinRoute installation includes a dialog where it is possible to disable colliding system
services.

Figure 2.2 Disabling colliding system services during installation

By default, the WinRoute installation disables all the colliding services listed. Under usual
circumstances, it is not necessary to change these settings. Generally, the following rules are
applied:

• The Windows Firewall / Internet Connection Sharing (ICS) service should be disabled.
Otherwise, WinRoute will not work correctly. The option is a certain kind of warning
which informs users that the service is running and that it should be disabled.

• To enable support for the UPnP protocol in WinRoute (see chapter 18.2), it is neces-
sary to disable also services Universal Plug and Play Device Host and SSDP Discovery
Service.

• If you do not plan to use support for UPnP in WinRoute, it is not necessary to disable
the Universal Plug and Play Device Host and SSDP Discovery Serviceservices.

Note:

1. Upon each startup, WinRoute detects automatically whether the Windows Firewall / Inter­net Connection Sharing is running. If it is, WinRoute stops it and makes a record in the

16

2.5 Initial configuration wizard (Windows)

warning log. This helps assure that the service will be enabled/started immediately after
the WinRoute installation.

2. On Windows XP Service Pack 2, Windows Server 2003, Windows Vista and Windows
Server 2008, WinRoute registers in the Security Center automatically. This implies that
the Security Center always indicates firewall status correctly and it does not display warn­ings informing that the system is not protected.

2.5 Initial configuration wizard (Windows)

Using this wizard you can define all basic WinRoute parameters. It is started automatically by
the installation program for Windows.

Setting of administration username and password

Definition of the administration password is essential for the security of the firewall. Do not
use the standard (blank) password, otherwise unauthorized users may be able to access the
WinRoute configuration.

Figure 2.3 Initial configuration — Setting of administration username and password

17

Chapter 2 Introduction

Password and its confirmation must be entered in the dialog for account settings. Name Admin
can be changed in the Username edit box.

Note: If the installation is running as an upgrade, this step is skipped since the administrator
account already exists.

Remote Access

Immediately after the first WinRoute Firewall Engine startup all network traffic will be blocked
(desirable traffic must be permitted by traffic rules — see chapter 7). If WinRoute is installed
remotely (i.e. using terminal access), communication with the remote client will be also inter­rupted immediately (WinRoute must be configured locally).

Within Step 2 of the configuration wizard specify the IP address of the host from which the
firewall will be controlled remotely to enable remote installation and administration. Thus

WinRoute will enable all traffic between the firewall and the remote host.

Note: Skip this step if you install WinRoute locally. Allowing full access from a point might

endanger security.

Figure 2.4 Initial configuration — Allowing remote administration

18

2.6 Upgrade and Uninstallation - Windows

Enable remote access

This option enables full access to the WinRoute computer from a selected IP address

Remote IP address

IP address of the computer from where you will be connecting (e.g. terminal services
client). This field must contain an IP address. A domain name is not allowed.

Warning

The remote access rule is disabled automatically when WinRoute is configured using the net­work policy wizard (see chapter 7.1).

2.6 Upgrade and Uninstallation - Windows

Upgrade

Simply run the installation of a new version to upgrade WinRoute (i.e. to get a new release
from the Kerio Web pages — http://www.kerio.com/).

All windows of the Kerio Administration Console must be closed before the (un)installation is
started. All of the three WinRoute components will be stopped and closed automatically.

The installation program detects the directory with the former version and updates it by re­placing appropriate files with the new ones automatically. License, all logs and user defined
settings are kept safely.

Note: This procedure applies to upgrades between versions of the same series (e.g. from

6.6.0 to 6.6.1) or from a version of the previous series to a version of the subsequent series

(e.g. from 6.5.2 to 6.6.0). For case of upgrades from an older series version (e.g. 6.3.1), full
compatibility of the configuration cannot be guaranteed and it is recommended to upgrade
“step by step” (e.g. 6.3.1 → 6.4.0 → 6.5.0 → 6.6.0) or to uninstall the old version along with all
files and then install the new version “from scratch”.

Update Checker

WinRoute enables automatic checks for new versions of the product at the Kerio Technologies
website. Whenever a new version is detected, its download and installation will be offered
automatically.

For details, refer to chapter 16.3.

Uninstallation

To uninstall WinRoute, stop all three WinRoute components. The Add/Remove Programs
option in the Control Panel launches the uninstallation process. All files under the WinRoute
directory can be optionally deleted.

(the typical path is C:\Program Files\Kerio\WinRoute Firewall)

— configuration files, SSL certificates, license key, logs, etc.

19

Chapter 2 Introduction

Figure 2.5 Uninstallation — asking user whether files created in WinRoute should be deleted

Keeping these files may be helpful for copying of the configuration to another host or if it is
not sure whether the SSL certificates were issued by a trustworthy certification authority.

During uninstallation, the WinRoute installation program automatically refreshes the original
status of the Windows Firewall / Internet Connection Sharing, Universal Plug and Play Device
Host) and SSDP Discovery Service system services.

2.7 Installation - Software Appliance and VMware Virtual Appliance

WinRoute in the software appliance edition is distributed:

• as an ISO of the installation CD which is used to install the system and then install the
firewall either on a physical or virtual computer (Software Appliance),

• as a virtual appliance for VMware (VMware Virtual Appliance).

Standalone WinRoute installation package for installation on previously installed Linux is not
available.

Software Appliance / VMware Virtual Appliance installation process consists of the following
simple steps:

20

2.7 Installation - Software Appliance and VMware Virtual Appliance

Start of the installation

Software Appliance

ISO image of the installation CD can be burned on a physical CD and then the CD can
be used for installation of the system on the target computer (either physical or virtual).
In case of virtual computers, the ISO image can be also connected as a virtual CD ROM,
without the need to burn the installation ISO file on a CD.
Note: Kerio WinRoute Firewall Software Appliance cannot be installed on a computer with
another operating system. Existing operating system on the target disk will be removed
within the installation.

VMware Virtual Appliance

Unzip the distribution package (Zip) and open the .vmx file in your VMware application
(VMware Player, VMware Workstation, VMware Server). This runs the Kerio WinRoute
Firewall installer.

The following steps are identical both for Software Appliance and Virtual Appliance.

Language selection

The selected language will be used both for WinRoute installation and for the firewall’s console
(see chapter 2.11).

Selection of target hard disk

If the installation program detects more hard disks in the computer, then it is necessary to
select a disk for WinRoute installation. Content of the selected disk will be completely removed
beforeWinRoute installation, while other disk are not affected by the installation.

If there is an only hard disk detected on the computer, the installer continues with the follow­ing step automatically. If no hard disk is found, the installation is closed. Such error is often
caused by an unsupported hard disk type or hardware defect.

Selection of network interface for the local network and access to administration

The installer lists all detected network interfaces of the firewall. Select an interface which is
connected to the local (trustworthy) network which the firewall will be remotely administered
from.

In the field, a computer may have multiple interfaces of the same type and it is therefore not
easy to recognize which interface is connected to the local network and which to the Internet.
To a certain extent, hardware addresses of the adapters can be a clue or you can experiment
— select an interface, complete the installation and try to connect to the administration. If the
connection fails, use option Network Configuration in the main menu of the firewall’s console
to change the settings (see chapter 2.11).

There can also arise another issue — that the program does not detect some or any network
adapters. In such case, it is recommended to use another type of the physical or virtual (if the

21

Chapter 2 Introduction

virtual computer allows this) adapter or install WinRoute Software Appliance on another type
of virtual machine. If such issue arises, it is highly recommended to consult the problem with
the Kerio Technologies technical support (see chapter 26).

provided that no network adapter can be detected, it is not possible to continue installing
WinRoute.

Setting of the local interface’s IP address

It is now necessary to define IP address and subnet mask for the selected local network inter­face. These parameters can be defined automatically by using information from a DHCP server
or manually.

For the following reasons, it is recommended to set local interface parameters manually:

• Automatically assigned IP address can change which may cause problems with con­nection to the firewall administration (although the IP address can be reserved on the
DHCP server, this may bring other problems).

• In most cases WinRoute will be probably used itself as a DHCP server for local hosts
(workstations).

Admin password

The installation requires specification of the password for the account Admin (the account of
the main administrator of the firewall). Username Admin with this password are then used for
access:

• to the firewall’s console (see chapter 2.11),

• to the remote administration of the firewall via the web administration interface (see

chapter 3),

• to the remote administration of the firewall via the Kerio Administration Console (see
chapter 3).

Remember this password or save it in a secured location and keep it from anyone else!

Time zone, date and time settings

Many WinRoute features (user authentication, logs, statistics, etc.) require correct setting of
date, time and time zone on the firewall. Select your time zone and in the next page check
(and change, if necessary) date and time settings.

Completing the installation

Once all these parameters are set, the WinRoute Firewall Engine service (daemon) is started.
While the firewall is running, the firewall’s console will display information about remote ad­ministration options and change of some basic configuration parameters — see chapter 2.11.

22

2.8 Upgrade - Software Appliance / VMware Virtual Appliance

2.8 Upgrade - Software Appliance / VMware Virtual Appliance

WinRoute can be upgraded by the following two methods:

• by starting the system from the installation CD (or a mounted ISO) of the new version.
The installation process is identical with the process of a new installation with an the
only exception that at the start the installer asks you whether to execute an upgrade
(any existing data will be kept) or a new installation (all configuration files, statistics,
logs, etc will be removed). For details, see chapter

• by the Kerio Administration Console update checker. For details, refer to chapter 16.3

2.7.

2.9 WinRoute Components

WinRoute consists of the following modules:

WinRoute Firewall Engine

WinRoute Firewall Engine is the core of the program that provides all services and func­tions. It is running as a service in the operating system (the service is called Kerio
WinRoute Firewall and it is run automatically within the system account by default).

WinRoute Engine Monitor (Windows only)

Allows viewing and modification of the Engine’s status (stopped / running) and setting
of start-up preferences (i.e. whether Engine and Monitor should be run automatically at
system start-up). It also provides easy access to the Administration Console. For details,
refer to chapter 2.10.

Note: WinRoute Firewall Engine is independent on the WinRoute Engine Monitor. The
Engine can be running even if there is no icon in the system tray.

Kerio Administration Console (Windows only)

It is a versatile console for full local or remote administration of Kerio Technologies server
products. For successful connection to an application you need a plug-in with an appro­priate interface.
Kerio Administration Console is installed on Windows hand-in-hand with the appropriate
module during the installation of Kerio WinRoute. The separate installation package Kerio
Administration Console for WinRoute is available for remote administration from another
host. The Kerio Administration Console is available for Windows only, but it can be used
for administration of both WinRoute installed on Windows and Kerio WinRoute Firewall
Software Appliance / VMware Virtual Appliance.
Detailed guidance for Kerio Administration Console is provided in Kerio Administration
Console — Help (http://www.kerio.com/firewall/manual).

The firewall’s console (Software Appliance / VMware Virtual Appliance only)

The firewall’s console is a simple interface permanently running on the WinRoute host. It
allows to set basic parameters of the operating system and the firewall for cases when it
is not possible to administer it remotely via the Web Administration interface or the Kerio
Administration Console.

23

Chapter 2 Introduction

2.10 WinRoute Engine Monitor (Windows)

WinRoute Engine Monitor is a standalone utility used to control and monitor the WinRoute
Firewall Engine status. The icon of this component is displayed on the toolbar.

Figure 2.6 WinRoute Engine Monitor icon in the Notification Area

If WinRoute Engine is stopped, a white crossed red spot appears on the icon. Under different
circumstances, it can take up to a few seconds to start or stop the WinRoute Engine application.
For this time the icon gets grey and is inactive.

On Windows, left double-clicking on this icon runs the Kerio Administration Console (described
later). Use the right mouse button to open the following menu:

Figure 2.7 WinRoute Engine Monitor menu

Start-up Preferences

With these options WinRoute Engine and/or WinRoute Engine Monitor applications can
be set to be launched automatically when the operating system is started. Both options
are enabled by default.

Administration

Runs Kerio Administration Console (equal to double-clicking on the WinRoute Engine Mon­itor icon).

Internet Usage Statistics

Opens Internet Usage Statistics in the default browser. For details, see chapter 21.

Start / Stop WinRoute Firewall

Switches between the Start and Stop modes. The text displays the current mode status.

Exit Engine Monitor

An option to exit WinRoute Engine Monitor. It does not affect status of the WinRoute
Engine application (this will be announced by a report).

24

2.11 The firewall’s console (Software Appliance / VMware Virtual Appliance)

Note:

1. If a limited version of WinRoute is used (e.g. a trial version), a notification is displayed
7 days before its expiration. This information is displayed until the expiration.

2. WinRoute Engine Monitor is available in English only.

2.11 The firewall’s console (Software Appliance / VMware Virtual Appli-

ance)

On the console of the computer where Kerio WinRoute Firewall Software Appliance / VMware
Virtual Appliance is running, information about the firewall remote administration options

is displayed. Upon authenticating by the administration password (see above), this console
allows to change some basic settings, restore default settings after installation and shut down
or restart the computer.

By default, the console shows only information about URL or IP address which can be used
for firewall administration via the firewall’s web administration interface or the Kerio Admin-
istration Console. To access configuration options, authentication with the Admin password is
required (Admin is the main firewall administrator’s account). If idle for some time, the user
gets logged out automatically and the welcome page of the console showing details on the
firewall’s remote administration is displayed again.

The firewall’s console provides the following configuration options:

Network Interface Configurations

This option allows to show or/and edit parameters of individual network interfaces of the
firewall. Each interface allows definition of automatic configuration via DHCP or manual
configuration of IP address, subnet mask and default gateway.
Note: No default gateway should be set on interfaces connected to the local network,
otherwise this firewall cannot be used as a gateway for the Internet access.

Remote administration policy settings

When you change the firewall’s traffic policy (see chapter 7) via the web administration
interface or the Kerio Administration Console, you may happen to block access to the
remote administration accidentally.
If you are sure that the firewall’s network interfaces are configured correctly and despite
of that it is not possible to access the remote administration, you can use the Remote
Administration option to change the traffic policy so that the rules do not block remote
administration on any interface.
Upon saving changes in traffic rules, the Kerio WinRoute Firewall Engine service will be
restarted automatically.
I the field, unblocking of the remote administration means that a rule will be added to
the top of the traffic policy table that would allow access KWF Admin (connection with
the Kerio Administration Console), KWF WebAdmin (unsecured web interface) and KWF
WebAdmin-SSL (secured web interface) services from any computer .

25

Chapter 2 Introduction

Shutting down / restarting the firewall

If you need to shut your computer down or reboot it, these options provide secure closure
of the Kerio WinRoute Firewall Engine and shutdown of the firewall’s operating system.

Restoring default configuration

This option restores the default firewall settings as installed from the installation CD
or upon the first startup of the VMware virtual host. All configuration files and data
(logs, statistics, etc.) will be removed and it will then be necessary to execute the initial
configuration of the firewall again as if a new installation (see chapter

2.7).

Restoring the default configuration can be helpful if the firewall’s configuration is acci­dentally damaged that much that it cannot be corrected by any other means.

26

Chapter 3

WinRoute Administration

For WinRoute configuration, two tools are available:

The Web Administration interface

The Web Administration interface allows both remote and local administration of the
firewall via a common web browser. In the current version of WinRoute, the Web Admin-
istration allows configuration of all crucial WinRoute parameters:

• network interfaces,

• traffic rules,

• HTTP and FTP filtering rules,

• user accounts, groups and domains,

• IP groups, URL groups, time ranges and network services.

The Web Administration interface is available at https://server:4081/admin (server
stands for the firewall name or IP address and 4081 for the default port of its web in­terface). HTTPS traffic between the client and the WinRoute Firewall Engine is encrypted.
This protects the communication from tapping and misuse. It is recommended to use the
unsecured version of the Web Administration (the HTTP protocol) only for local adminis­tration of WinRoute (i.e. administration from the computer where it is installed).

Kerio Administration Console

Kerio Administration Console (referred to as the Administration Console in this document)
is an application used for administration of all Kerio Technologies’ server products. All
WinRoute parameters can be configured here.
Using this program you can access the firewall either locally (from the WinRoute host)
or remotely (from another host). Traffic between Administration Console and WinRoute

Firewall Engine is encrypted. This protects you from tapping and misuse.
Kerio Administration Console is installed on Windows hand-in-hand with it during the

installation of Kerio WinRoute.
The separate installation package Kerio Administration Console for WinRoute is available
for remote administration from another host. The Kerio Administration Console is avail­able for Windows only, but it can be used for administration of both WinRoute installed
on Windows and Kerio WinRoute Firewall Software Appliance / VMware Virtual Appliance.
Detailed guidelines for the Administration Console are provided under Kerio Ad-

ministration Console — Help (to view these guidelines, use option Help → Con­tents in the main Administration Console window, or you can download it from

http://www.kerio.com/firewall/manual).

27

Chapter 3 WinRoute Administration

The following chapters of this document address individual sections of the Administration
Console, the module which allows full configuration. The Web Administration interface is
almost identical as the Administration Console and its sections.

Note:

1. The Web Administration interface and the Administration Console for WinRoute are avail­able in 16 localization versions. The Web Administration interface allows language selec­tion by simple switching of the flag located in the top right corner of the window or by
following the browser language preferences. The Administration Console allows language
settings in the Tools menu of the login dialog box.

2. Upon the first login to the Administration Console after a successful WinRoute installation,
the traffic rules wizard is run so that the initial WinRoute configuration can be performed.
For a detailed description on this wizard, please refer to chapter 7.17.1.

3.1 Administration Console - the main window

The WinRoute administration dialog window (“administration window”) will be opened upon
a successful login to the WinRoute Firewall Engine through the Administration Console. This
window is divided into two parts:

Figure 3.1 The main window of Administration Console for WinRoute

28

3.1 Administration Console - the main window

• The left column contains the tree view of sections. The individual sections of the
tree can be expanded and collapsed for easier navigation. Administration Console
remembers the current tree settings and uses them upon the next login.

• In the right part of the window, the contents of the section selected in the left column
is displayed (or a list of sections in the selected group).

Administration Window — Main menu

The main menu provides the following options:

File

• Reconnect — reconnection to the WinRoute Firewall Engine after a connection
drop-out (caused for example by a restart of the Engine or by a network error).

• New connection — opens the main window of the Administration Console. Use
a bookmark or the login dialog to connect to a server.
This option can be useful when the console will be used for administration of
multiple server applications (e.g. WinRoute at multiple servers). For details, refer
to the Help section in the Administration Console manual.

Note: The New Connection option opens the same dialog as running the Adminis­tration Console from the Start menu.

• Quit — this option terminates the session (users are logged out of the server and
the administration window is closed). The same effect can be obtained by clicking
the little cross in the upper right corner of the window or pressing Alt+F4 or
Ctrl+Q.

The Edit menu (on the welcome page only)

Options under Edit are related to product registration and licensing. The options available
in the menu depend on the registration status (for example, if the product is registered
as a trial version, it is possible to use options of registration of a purchased license or
a change of registration data).

• Copy license number to clipboard — copies the license number (the ID licence
item) to the clipboard. This may be helpful e.g. when ordering an upgrade or
subscription, where the number of the base license is required, or when sending
an issue to the Kerio Technologies technical support.

• Register trial version — registration of the product’s trial version.

• Register product — registration of a product with a purchased license number.

• Install license — use this option to import your license key file (for details, see

chapter

4.4).

Help menu

• Show Server’s Identity — this option provides information about the firewall
which the Administration Console is currently connected to (name or IP address
of the server, port and SSL-certificate fingerprint). This information can be used

29

Chapter 3 WinRoute Administration

for authentication of the firewall when connecting to the administration from
another host (see Kerio Administration Console — Help).

• Administrator’s guide — this option displays the administrator’s guide in HTML
Help format. For details about help files, see Kerio Administration Console — Help

manual.

• About — this page provides information about current version of the application
(WinRoute’s administration module in this case), a link to our company’s website,
etc.

Status bar

The status bar at the bottom of the administration window displays the following information
(from left to right):

Figure 3.2 Administration Console status bar

• The section of the administration window currently selected in the left column. This
information facilitates navigation in the administration window when any part of the
section tree is not visible (e.g. when a lower screen resolution is selected).

• Name or IP address of the server and port of the server application (WinRoute uses
port 44333).

• Name of the user logged in as administrator.

• Current state of the Administration Console: Ready (waiting for user’s response), Load-

ing (retrieving data from the server) or Saving (saving changes to the server).

Detection of WinRoute Firewall Engine connection drop-out

Administration Console is able to detect the connection failure automatically. The failure is
usually detected upon an attempt to read/write the data from/to the server (i.e. when the Ap-
ply button is pressed or when a user switches to a different section of Administration Console).
In such case, a connection failure dialog box appears where the connection can be restored.

After you remove the cause of the connection failure, the connection can be restored. Admin-
istration Console provides the following options:

• Apply & Reconnect — connection to the server will be recovered and all changes done
in the current section of the Administration Console before the disconnection will be
saved,

• Reconnect — connection to the server will be recovered without saving any changes
performed in the particular section of the console before the disconnection.

If the reconnection attempt fails, only the error message is shown. You can then try to recon­nect using the File → Restore connection option from the main menu, or close the window and
restore the connection using the standard procedure.

30