Step-by-Step Configuration

Kerio Technologies
 2001-2003
C Kerio Technologies. All Rights Reserved.

Printing Date: December 17, 2003

This guide provides detailed description on configuration of the local network which
uses the Kerio WinRoute Firewall, version 5.1.8. All additional modifications and
updates reserved.

For current product version, check http://www.kerio.com/kwf.

Contents

1 WinRoute Configuration Step-by-Step Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

1.1 Network Interface Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 WinRoute Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.3 Basic Traffic Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4 DHCP Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.5 DNS Forwarder Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.6 Creating User Accounts and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.7 Address Groups and Time Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.8 Web Rules Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.9 FTP Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.10 Antivirus Scanning Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
1.11 Enabling Access to Services from the Internet . . . . . . . . . . . . . . . . . . . . . . . . 26
1.12 LAN Hosts Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3
4
Chapter 1

WinRoute Configuration Step-by-Step Guide

This chapter describes in detail the steps needed to deploy WinRoute in an example
network. This network includes most elements present in a real-life WinRoute network
— Internet access from the local network, protection against attacks from the Internet,
access to selected services on the LAN from the Internet, user access control, automatic
configuration of clients on the LAN, etc.

WinRoute configuration will be better understood through an example of a model net-

work according to the following scheme.

1.1 Network Interface Configurations

Internet Interfaces

TCP/IP parameters of the Internet Interface must be set according to information pro-
vided by your ISP. In case of a dial-up connection (i.e. analog modem or ISDN), you

5
Chapter 1 WinRoute Configuration Step-by-Step Guide

must create the appropriate dial-up connection using the ’make new connection’ wizard
located in the network control panel.

Verify connectivity (i.e. by using the ping command or by opening a Web site using your
browser).

Selection of IP addresses for LAN

The following options can be used to select IP addresses for your LAN:

• use public IP addresses. The ISP will assign a required IP range and set routing pa-
rameters.

• use private IP addresses and IP translation (NAT). We recommend using this option
as it provides easier administration and technical maintenance.

Private addresses are represented by special IP ranges that are reserved for local net-
works which do not belong to the Internet (private networks). These addresses must not
exist in the Internet (Internet routers are usually set in order to drop all packets that
include these addresses).

The following IP ranges are reserved for private networks:

• 10.x.x.x, network mask 255.0.0.0

• 172.16.x.x, network mask 255.240.0.0

• 192.168.x.x, network mask 255.255.0.0

Warning: Do not use other IP addresses in private networks, otherwise some Web pages
(those networks that have the same IP addresses) might be unavailable!

The 192.168.1.0 address (private IP address) with the 255.255.255.0 network mask
is used for the local network in the following example.

LAN Interface

The following parameters will be set at the LAN Interface:

• IP address — the 192.168.1.1 IP address will be used

• network mask — 255.255.255.0

6
 1.2 WinRoute Installation

• default gateway — no default gateway is allowed at this interface!

• DNS server — if the Internet connection is performed via a dial-up, address of the DNS
server must be equal to the IP address of the WinRoute host so that also on-demand
dialing from the firewall will function (refer to chapter 1.5) — use the 192.168.1.1
address. It is not necessary to define the address of the DNS server at this interface
if you use leased line.

1.2 WinRoute Installation

Run the WinRoute installation program and select the

Typical installation.

Disable the Internet Connection Sharing (Windows Me, 2000, XP) or Internet Connection
Firewall (Windows XP) services if detected by the installation program, otherwise Win-
Route might not function correctly.

7
Chapter 1 WinRoute Configuration Step-by-Step Guide

Define a username and password that will be used for the administrative account.

Restart your machine when the installation is completed.

1.3 Basic Traffic Policy Configuration

After reboot, run the Kerio Administration Console (Start / Programs / Kerio). Connect
to the localhost (the local computer) with the user name and password defined during
installation. The Network Rules Wizard will be started automatically after the first login.
Set the following parameters using the Wizard:

• Internet connection type (Step 2) — type of interface via which the firewall is connect-
ed to the Internet

8
 1.3 Basic Traffic Policy Configuration

• Internet interface (Step 3) — select an Internet interface or appropriate dial-up. Sup-

ply the username and password for the appropriate account if the selected type is a
dial-up connection.

• Rules used for outgoing traffic (Step 4) — these rules enable access to Internet ser-
vices.

• Rules for incoming traffic (Step 5) — for example, a mapping to an SMTP (email) server

9
Chapter 1 WinRoute Configuration Step-by-Step Guide

Note: In this step you can also define mapping for other hosted services such as an
FTP server. This will be better understood through the second method — custom rule
definition. For details refer to chapter 1.11.

• Sharing of the Internet connection (Step 6) — network address translation (NAT) must
be enabled if private IP addresses will be used within the LAN

1.4 DHCP Server Configuration

Example Notes

The following methods can be used to assign IP addresses to local hosts:

• The 192.168.1.2 static IP address will be assigned to the file server / FTP server (its
IP address must not be changed, otherwise mapping from the Internet will not work).

• A Static IP address will be assigned to the network printer by the DHCP server (DHCP
lease). Printing machines cannot have dynamic IP addresses, otherwise they would
be unavailable from clients if the IP changes.

Note: IP addresses can be assigned to printing machines either manually or by a DHCP

server. If a DHCP server is used, the printing machine is configured automatically

10
 1.4 DHCP Server Configuration

and its address is listed in the DHCP lease list. If configured manually, the printing
machine will be independent of the DHCP server’s availability.

• Dynamic IP addresses will be assigned to local workstations (easier configuration).

DHCP Server Configuration

Go to the Configuration / DHCP server section in Kerio Administration Console. Open the
Scopes tab to create an IP scope for hosts to which addresses will be assigned dynam-
ically (the Add / Scope option). The following parameters must be specified to define
address scopes:

• First address — select 192.168.1.10 (addresses from 192.168.1.1 to

192.168.1.9 will be reserved for servers and printing machines)

• Last address — 192.168.1.254 (address with the highest number that can be used
for the particular network)

• Network mask — 255.255.255.0

• Default gateway — IP address of the firewall interface that is connected to the local
network (192.168.1.1).

11
Chapter 1 WinRoute Configuration Step-by-Step Guide

Note: Default gateway specifies the route via which packets from the local network
will be routed to the Internet. Routing via WinRoute will enable traffic filtering, user
authentication, etc.

• DNS server — IP address of the firewall interface that is connected to the local net-
work (see chapter 1.5)

Create a lease for the network printing machine using the Add / Reservation... option.
The address you reserve need not necessarily belong to the scope described above, how-
ever, it must belong to the specified network (in this example the 192.168.1.3 address
is reserved). You need to know the hardware (MAC) address of the printing machine to
make the reservation.

TIP: Do not make the reservation manually unless you know the hardware address of
your printing machine. Run the DHCP server and connect the machine to the network.
An IP address from the formerly defined scope (see above) will be assigned to the print-
ing machine. Mark this address in the Leases tab and use the Reserve... button to open
a dialog where the appropriate hardware address will be already defined. Insert the ap-
propriate IP address (and its description if desirable) and click on the OK button. Restart
your printing machine. The appropriate IP address will be assigned to the printing ma-
chine by the DHCP server after the restart.

12
 1.5 DNS Forwarder Configuration

Notes:

1. Do not use the DHCP server unless all desired scopes and reservations are made or
unless you need to determine a client’s MAC address (see above).

2. You can also use another DHCP server to detect settings of your network equipment
automatically. Set the firewall computer’s internal IP address as the default gateway
and DNS server in parameters for this range on the DHCP server.

1.5 DNS Forwarder Configuration

Go to Configuration / DNS Forwarder to configure DNS servers to which DNS queries

will be forwarded.

• Select the Forward DNS queries to the specified DNS server(s) option and define IP
addresses of DNS server(s) included in the Internet if the IP address of DNS server
is identical with the IP address used by the WinRoute host (usually when a dial-up is
used — refer to chapter 1.1). DNS servers of your ISP are recommended as they are
easily available. Ask your ISP to supply you with appropriate IP addresses.

• You can use the Forward DNS queries to the server automatically selected from DNS
servers... option that is selected by the default when a leased line is used — — Win-
Route will use one of the DNS servers set at the Internet interface.

Use the Edit file... button to edit the hosts system file. In this dialog, specify all IP
addresses and hostnames of hosts to which IP addresses have been assigned manually
(including the firewall).

13
Chapter 1 WinRoute Configuration Step-by-Step Guide

1.6 Creating User Accounts and Groups

Go to the Users and Groups / Users section to create user accounts for all users within
the local network.
If a Windows NT or Windows 2000 domain is used in the local domain, user accounts can
be imported and/or configured in this domain. All users will have an identical username
and password to access all network resources.
Name of the Windows NT/Windows 2000 domain must be defined in the appropriate
entry in Advanced Options / User Authentication.

14
 1.7 Address Groups and Time Ranges

Go to Users and Groups / Groups to create user groups that will be used to control user
access to the Internet. Sort users into appropriate groups.

1.7 Address Groups and Time Ranges

Open the Definitions / Address Groups section to create IP groups that will be used
to limit access to email accounts (refer to chapter 1.11). This group will consist of

15
Chapter 1 WinRoute Configuration Step-by-Step Guide

the 123.23.32.123 and 50.60.70.80 IP addresses and of the entire 195.95.95.128

network with the 255.255.255.248 network mask.

Adding an IP address:

Adding a network:

Note: Name must be identical for all items so that all items will be added to the same
group.

Resultant address group:

16
 1.7 Address Groups and Time Ranges

Go to Definitions / Time Ranges to create a group that will be limited to accessing In-
ternet services during the labor hours (from Monday to Friday from 8 A.M. to 4:30 P.M.,
Saturdays and Sundays from 8 A.M. to 12 A.M.).

Labor time definition working days (from Monday to Friday):

Labor time definition for weekends (Saturday and Sunday):

Notes:

1. You can use predefined day groups (Weekday or Weekend) to define the Valid on
entry — it is not necessary to tick each day individually.

2. The Name entries must be identical so that only one time range will be created.

This is the result Labor time time range:

17
Chapter 1 WinRoute Configuration Step-by-Step Guide

1.8 Web Rules Definition

Requirements

Access to Web pages will be limited by the following restrictions:

• filtering of advertisements included in Web pages

• access to pages with erotic/sexual content is denied

• access to Web pages that offer jobs is denied (only users working in Personal Depart-
ments are allowed to access these pages)

• user authentication will be required before access to the Internet is allowed (this way
you can monitor which pages are opened by each user)

18
 1.8 Web Rules Definition

Predefined HTTP Rules

The following basic HTTP rules are already predefined and available in the URL Rules tab
in Configuration / Content Filtering / HTTP Policy:

Remove advertisement and banners Filtering of advertisements and banners. Ac-

cording to this rule all objects matching with the predefined Ads/banners URL group
are dropped. Tick this rule to activate it.

Note: It might happen that a page that does not represent any advertisement is
dropped. If so, remove an appropriate item (the one that causes the problem) from
the Ads/banners group or add an exceptional rule for particular pages (we recom-
mend using the second method).

Deny sites rated in Cobion categories This rule denies access to Web sites that match
selected Cobion Orange Filter system categories. Use the Select Rating... button to
select categories that will be blocked first.

Select appropriate categories in the Pornography section to deny access to pages with
erotic/sexual content.

Notes:

1. The basic WinRoute license does not provide Cobion Orange Filter system (a spe-
cial license version must be purchased). However, this system is available in the
WinRoute trial version.

2. Cobion Orange Filter system included in WinRoute must communicate with

database servers. This means that the traffic policy must enable access to the
COFS service (6000/tcp) from the firewall. Traffic rules created by the Wizard
allow all traffic from the firewall to the Internet — it is not necessary to define a
new rule.

19
Chapter 1 WinRoute Configuration Step-by-Step Guide

3. You can define multiple URL rules that will use the Cobion Orange Filter rating
system. Multiple categories may be used for each rule.

4. We recommend you to enable the “unlock” option in rules that use the Cobion
Orange Filter rating system as a page may be classified incorrectly and useful
information might be blocked under certain conditions. All unlock queries are
logged into the Filter log — here you can monitor whether unlock queries were
appropriate or not.

Authenticate all users This option will require authentication of all users that intend
to access Web pages (and it will enable authenticated users to access the pages). Thus
the Internet is not accessed anonymously and you can easily monitor network activity
of individual users (the Web and the HTTP logs).

Note: You can insert the information that will be displayed when an attempt to connect
to a denied page is detected in the Advanced tab (URL Rules).

20
 1.8 Web Rules Definition

Creating Custom URL Rules

Rules that will be used for certain users or user groups may be added after the rule that
requires authentication for all users.

You can add a rule that will enable users belonging to the Personal Department group to
access pages where jobs are offered.

A rule that will deny all users to access pages with job offers must be added after the
previous rule.

21
Chapter 1 WinRoute Configuration Step-by-Step Guide

Note: In both rules mentioned above only the JobSearch category is selected.

HTTP Cache Configuration

Cache accelerates access to repeatedly opened Web pages, thus reducing Internet traffic.
Cache can be enabled from the Enable cache on transparent proxy and the Enable cache
on proxy server options in Configuration / Content Filtering / HTTP Policy. Set the cache
to the desirable size with respect to the free memory on the disc using the Cache size
entry. The 1 GB (1024 MB) value is set by the default, the maximum value is 2 GB
(2048 MB).

22
 1.9 FTP Policy Configuration

1.9 FTP Policy Configuration

Requirements

FTP usage will be limited by the following restrictions:

• transmission of music files in the MP3 format will be denied

• transmission of video files (*.avi) will be denied during labor time

• uploads (storing files at FTP servers) will be denied — protection of important com-
pany information

Predefined FTP Rules

Go to Configuration / Content Filtering / FTP Policy to set FTP limitations. The following
rules are predefined rules and can be used for all intended restrictions.

23
Chapter 1 WinRoute Configuration Step-by-Step Guide

Forbid *.mpg, *.mp3 and *.mpeg files This option denies transmission of sound files
of the listed formats. This rule is already available and it can be enabled easily.

Forbid *.avi files This rule will deny transmission of video files. Enable this rule, use
the Edit button to open the appropriate dialog and define the Labor time time range
in the Advanced tab.

Forbid upload Deny storing data at FTP servers — this rule is already defined and it is
satisfactory to switch it on if you intend to use it.

24
 1.9 FTP Policy Configuration

Warning

The FTP policy refers to all FTP traffic that is processed by the FTP protocol inspector.
In the following example, we intend to enable the local FTP server from the Internet. The
Forbid upload rule denies even upload to this server which is not always desirable. For
this reason we must add a rule that would enable upload to this server before the Forbid
upload rule.

Notes:

1. The IP address of the host where the appropriate FTP service is running must be
used to define the FTP server’s IP address. It is not possible to use only the firewall’s
external IP address from which FTP server is mapped (IP translation is performed
before content filtering rules are applied)!

2. The same method can be applied to enable upload to a particular FTP server in the
Internet whereas upload to other FTP servers will be forbidden.

25
Chapter 1 WinRoute Configuration Step-by-Step Guide

1.10 Antivirus Scanning Configuration

Any supported external antivirus application that you intend to use must be installed
first. The McAfee antivirus application is integrated into WinRoute and you will need
a special license to run it.

Select an appropriate antivirus application in Configuration / Content Filtering / An-

tivirus and choose file types that will be scanned. All executables and Microsoft Office
files are scanned by default.

1.11 Enabling Access to Services from the Internet

Go to Configuration / Traffic Policy to add rules for services that will be available from
the Internet.

• access to other mail server services —allowed from certain IP addresses only

26
 1.12 LAN Hosts Configuration

Notes:

1. This rule enables access to IMAP and POP3 services in both encrypted and unen-
crypted versions — client can select which service they will use.

2. Based on this example, SMTP service was mapped by the traffic rules Wizard
(refer to chapter 1.3) — the appropriate rule already exists.

3. Access to the SMTP service must not be limited to certain IP addresses only as
anyone is allowed to send an email to the local domain.

• mapping of the local FTP server

Note: Rules are processed from top to bottom. Once a rule is matched, there will be no
further processing of filter rules. Therefore, all permission rules must be located prior
to denial rules.

1.12 LAN Hosts Configuration

TCP/IP parameters for the hosts that are used as the file server and as the FTP server
must be configured manually (its IP address must not be changed):

• IP address — we will use the 192.168.1.2 address (refer to chapter 1.4)

• Default gateway, DNS server — use IP address of the appropriate firewall’s interface
(192.168.1.1)

Set automatic configuration (using DHCP) at all workstations (it is set by default under
most operating systems).

27
Chapter 1 WinRoute Configuration Step-by-Step Guide

28
 1.12 LAN Hosts Configuration

29