Kerio Control Step-by-Step Configuration Kerio Technologies
Kerio Technologies s.r.o. All rights reserved. This guide provides detailed description on configuration of the local network which uses the Kerio Control, version 7.0. All additional modifications and updates reserved. For current version of the product, go to http://www.kerio.com/firewall/download. For other documents addressing the product, see http://www.kerio.com/firewall/manual.
Contents 1 Introduction ................................................................... 2 Headquarters configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.1 Selection of IP addresses for LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2 Configuration of network interfaces of the Internet gateway . . . . . . . . . . . . . . . . 7 2.3 Kerio Control installation . . . . . . . . . . . . . .
Chapter 1 Introduction This manual describes configuration steps to be taken for implementation of Kerio Control in a model network.
It is recommended to reserve a standalone server for the firewall’s purposes (Internet gateway). Such server can be: • A physical or virtual server with Windows. Use Kerio Control in a Windows edition installed in the system as an application. The firewall can be run along with other server applications, such as the mailserver with groupware fetaures Kerio Connect. However, the firewall host should not be used as a user workstation.
Chapter 2 Headquarters configuration This chapter provides detailed description on configuration of the local network and setup of Kerio Control in company headquarters. The same procedure can be applied for network configuration in a branch office (bearing in mind slight differences described in chapter 3). For purposes of this example, it is supposed that an Active Directory domain company.com is created in the headquarters’ LAN and all hosts in the network are included in this domain. 2.
2.2 Configuration of network interfaces of the Internet gateway Note: IP addresses can be assigned to printers either manually or by a DHCP server. If a DHCP server is used, the printing machine is configured automatically and its address is listed in the DHCP lease list. If configured manually, the printing machine will be independent of the DHCP server’s availability. • Dynamic IP addresses will be assigned to local workstations (easier configuration). Figure 2.
Headquarters configuration Internet Interfaces Follow the ISP’s instructions to set the interface connected to the Internet. Most ISP use automatic configuration of TCP/IP parameters by using DHCP protocol. In case of manual configuration, the following parameters are required for proper functionality of the Internet interface: IP address, subnet mask, default gateway and at least one DNS server’s address.
2.4 Basic Traffic Policy Configuration kernel. Kerio Control Engine and Kerio Control Engine Monitor will be automatically launched when the installation is complete. The engine runs as a service. Installation of Software Appliance Kerio Control in the software appliance edition is distribuded as an ISO image of the installation CD that can be used to implement the system and install the firewall on either a physical or virtual host.
Headquarters configuration Set the following parameters using the Wizard: • Internet connection types (the wizard, page 2) — select persistent connection with a single Internet line. • Internet interface (the wizard, page 3) — select an interface connected to the Internet. • Rules used for outgoing traffic (the wizard, page 4) — these rules enable access to Internet services.
2.6 DHCP Server Configuration • DNS server — IP address of the firewall interface that is connected to the local network (192.168.1.1 — the same as the default gateway). The Kerio Control’s DNS forwarder will be used as the primary DNS server. The forwarder will procure correct forwarding of requests between the company’s offices and to the Internet. • Domain — local DNS domain (identical with the Active Directory domain, i.e. company.com). Now add a reservation for the network printer.
Headquarters configuration 2.7 DNS configuration In Configuration → DNS, keep the default settings (the DNS service and simple DNS translation woth the hosts file and a table of leased addresses are allowed) and set the advanced options: • Enter the local DNS domain name — company.com. • Enable the Use custom forwarding option Add the rule for forwarding of requests to the Active Directory, i.e. of all requests for names starting with _ (underscore), to the domain server in the LAN.
2.9 Mapping of user accounts and groups from the Active Directory 2.9 Mapping of user accounts and groups from the Active Directory To enable disposal of Active Directory user accounts, set mapping of a corresponding domain and define a template that will apply specific Kerio Control parameters (user rights, data transfer quotas, etc.) to all users. Domain mapping To set Active Directory domain mapping, go to the Active Directory tab under User and Groups → Users.
Headquarters configuration 2.
2.12 FTP Policy Configuration It is recommended not to require user authentication in this rule. This prevents from redirecting unauthenticated users’ browser to the authentication page before showing the information that the page is blocked. User authentication for accessing Websites The last optional restriction is user authentication while accessing Web pages. To enable this feature, use the corresponding option under Users and Groups → Users, the Authentication Options tab.
Headquarters configuration Notes: 1. The IP address of the host where the appropriate FTP service is running must be used to define the FTP server’s IP address. It is not possible to use an outbound IP address of the firewall that the FTP server is mapped from (unless the FTP server runs on the firewall)! IP addresses are translated before the content filtering rules are applied. 2.
2.15 Secured access of remote clients to LAN Name Source Destination Access to email Group Access Firewall to email Table 2.3 Service IMAP IMAPS POP3 POP3S Action Translation Allow Valid in Working hours Enabling access to the firewall’s mailserver services Notes: 1. This rule enables access to IMAP and POP3 services in both encrypted and unencrypted versions — client can select which service they will use. 2.
Headquarters configuration Set automatic configuration of both IP address and DNS server (using DHCP) at all workstations (it is set by default under most operating systems). 2.17 Viewing statistics of Internet usage and user browsing behavior Kerio Control also includes a web interface called Kerio StaR (statistics and reporting) which allows to view user browsing behavior as well as statistics in tables and charts.
Chapter 3 Configuration of the LAN in a filial office For quick configuration of the filial’s LAN, it is possible to follow similar method as for the headquarter’s network (see chapter 2). The only difference is in DNS and DHCP configuration. Supposing that there is no domain server or any other DNS server in the filial’s network. The Kerio Control’s DNS module will be used as the primary DNS server. 3.1 Configuration of network interfaces of the Internet gateway Set a fixed IP address (e.g. 10.1.1.
Configuration of the LAN in a filial office • Default gateway — IP address of the firewall interface that is connected to the local network (10.1.1.1). • DNS server — IP address of the firewall interface that is connected to the local network (10.1.1.1 — the same as the default gateway). The Kerio Control’s DNS forwarder will be used as the primary DNS server. The forwarder will procure correct forwarding of requests between the company’s offices and to the Internet.
Chapter 4 Interconnection of the headquarters and branch offices This chapter provides information on interconnection of headquarters and branch office servers by an encrypted channel (“VPN tunnel”). The following example describes only the basic configuration of a VPN tunnel between two networks. No tips related to access restrictions or other specific settings are included here. For example of a more complex VPN configuration, refer to the Kerio Control — User’s Guide document.
Interconnection of the headquarters and branch offices The headquarters uses IP addresses 192.168.1.x with the network mask 255.255.255.0 and with DNS domain company.com. The branch office uses IP addresses 10.1.1.x with network mask 255.255.255.0 and with the subdomain filial.company.com. 4.1 Headquarters configuration 1. In Kerio Control under Configuration / Interfaces select a VPN server, open its settings dialog and enable it.
identification of the VPN server. The fingerprint of the created SSL certificate will be required for definition of the VPN tunnel on the headquarters server (see chapter 4.1). Select it, copy it to the clipboard and paste it to an email message, text file, etc. Note: It is recommended to later replace this generated certificate with a certificate authorized by a reliable public certification authority. 2.
Appendix A Used open source items Kerio Control contains open-source software. Full source code packages for these components are available in the Software Archive at http://download.kerio.com/archive/.
Appendix B Legal Notices Microsoft , Windows , Windows NT and Active Directory are registered trademarks or trademarks of Microsoft Corporation. VMware is registered trademark of VMware, Inc. Other names of real companies and products mentioned in this document may be registered trademarks or trademarks of their owners.
