Kerio Control Step-by-Step Guide Kerio Technologies
2010 Kerio Technologies s.r.o. All rights reserved. This guide provides detailed description on configuration of the local network which uses the Kerio Control, version 7.1. All additional modifications and updates reserved. For current version of the product, go to http://www.kerio.com/firewall/download. For other documents addressing the product, see http://www.kerio.com/firewall/manual.
Contents 1 Introduction ................................................................... 2 Headquarters configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.1 Selection of IP addresses for LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2 Configuration of network interfaces of the Internet gateway . . . . . . . . . . . . . . . . 7 2.3 Kerio Control installation . . . . . . . . . . . . . .
Chapter 1 Introduction This manual describes configuration steps to be taken for implementation of Kerio Control in a model network.
It is recommended to reserve a standalone server for the firewall’s purposes (Internet gateway). Such server can be: • A physical or virtual server with Windows. Use Kerio Control in a Windows edition installed in the system as an application. The firewall can be run along with other server applications, such as the mailserver with groupware features Kerio Connect. However, the firewall host should not be used as a user workstation.
Chapter 2 Headquarters configuration This chapter provides detailed description on configuration of the local network and setup of Kerio Control in company headquarters. The same procedure can be applied for network configuration in a branch office (bearing in mind slight differences described in chapter 3). For purposes of this example, it is supposed that an Active Directory domain company.com is created in the headquarters’ LAN and all hosts in the network are included in this domain. 2.
2.2 Configuration of network interfaces of the Internet gateway Note: IP addresses can be assigned to printers either manually or by a DHCP server. If a DHCP server is used, the printing machine is configured automatically and its address is listed in the DHCP lease list. If configured manually, the printing machine will be independent of the DHCP server’s availability. • Dynamic IP addresses will be assigned to local workstations (easier configuration). Figure 2.
Headquarters configuration Internet Interfaces Follow the ISP’s instructions to set the interface connected to the Internet. Most ISP use automatic configuration of TCP/IP parameters by using DHCP protocol. In case of manual configuration, the following parameters are required for proper functionality of the Internet interface: IP address, subnet mask, default gateway and at least one DNS server’s address.
2.3 Kerio Control installation kernel. Kerio Control Engine and Kerio Control Engine Monitor will be automatically launched when the installation is complete. The engine runs as a service. Installation of Software Appliance Kerio Control in the software appliance edition is distributed as an ISO image of the installation CD that can be used to implement the system and install the firewall on either a physical or virtual host.
Headquarters configuration Upon the first startup of the virtual host, a simple wizard is opened allowing to set basic parameters of the firewall — network interfaces, time and time zone, etc. Other parameters can be set remotely in the Kerio Control Administration web interface. Installing Kerio Control Box Use the power cable to connect Kerio Control Box to a power-supply unit. Connect the first port (port number 1) to the Internet (i.e. connect it to the router, cable modem, ADSL modem, etc.
2.6 DHCP Server Configuration Connectivity Wizard First, run the Connectivity Wizard (the first link in the Configuration Assistant). following parameters using the Wizard: Set the • Internet connection types (the wizard, page 1) — select persistent connection with a single Internet line. • Internet interface (the wizard, page 2) — select an adapter connected to the Internet. • Interface for the local network (the wizard, page 3) — select an adapter connected to the local network.
Headquarters configuration Hint: Do not make the reservation manually unless you know the MAC address of your printing machine. Run the DHCP server and connect the machine to the network. An IP address from the formerly defined scope (see above) will be assigned to the printing machine. In the list of leased addresses, mark this IP address and click on Reserve. This opens a dialog for IP address reservation with the corresponding MAC address already predefined.
2.9 Mapping of user accounts and groups from the Active Directory SSL-VPN interface is used for secured remote connections to shared files in local networks by a web browser. For proper functionality of web services, an SSL certificate is required that proves the server’s identity. To create certificates for web interfaces, go to Configuration → Advanced Options, to the Web Interface or the SSL-VPN tab. In advanced settings of individual interfaces, select Change SSL certificate and Create certificate.
Headquarters configuration 2.10 Address Groups and Time Ranges Open the Configuration → Definitions → Address Groups section to create IP group Email Access that will be used to limit access to email accounts (refer to chapter 2.15). This group will consist of the 123.23.32.123 and 50.60.70.80 IP addresses and of the entire 195.95.95.128 network with the 255.255.255.248 network mask. Note: Definition of the first group requires name of the new group, later additions allow selection of an existing group.
2.12 FTP Policy Configuration Use the Select Rating... button to select Kerio Web Filter categories that will be blocked. Then select appropriate categories in the Pornography /Nudity section to deny access to pages with erotic/sexual content. On the Advanced tab, enter the text which will be displayed if a user to access a page with forbidden content or set redirection to another webpage. Restrictions of web pages with job offers To restrict access to websites with job offers, use the following rules: 1.
Headquarters configuration FTP restrictions specified by predefined rules Go to Configuration → Content Filtering → FTP Policy to set FTP limitations. The following rules are predefined rules and can be used for all intended restrictions: • Rules Forbid *.mpg, *.mp3 and *.mpeg files and Forbid upload are ready to use. • Modify the Forbid *.avi files rule by going to the Advanced tab and setting the time when the rule is valid in the Working hours range (see chapter 2.10).
2.14 Intrusion Prevention System Kerio Control allows to select protocols which antivirus check will be applied to. The HTTP, FTP scanning, Email scanning and SSL-VPN scanning, tabs enable detailed configuration of scanning of individual protocols. Usually, the default settings are convenient. 2.14 Intrusion Prevention System In Configuration → Traffic Policy → Intrusion Prevention, enable detection of known types of network intrusions coming from the Internet and from known intruders.
Headquarters configuration 1. This rule enables access to IMAP and POP3 services in both encrypted and unencrypted versions — client can select which service they will use. 2. Based on this example, the SMTP service was mapped by the traffic rules Wizard (refer to chapter 2.5) — the appropriate rule already exists. 3. Access to the SMTP service must not be limited to certain IP addresses only as anyone is allowed to send an email to the local domain. 2.
2.18 Viewing statistics of Internet usage and user browsing behavior 2.18 Viewing statistics of Internet usage and user browsing behavior Kerio Control also includes a web interface called Kerio StaR (statistics and reporting) which allows to view user browsing behavior as well as statistics in tables and charts.
Chapter 3 Configuration of the LAN in a filial office For quick configuration of the filial’s LAN, it is possible to follow similar method as for the headquarter’s network (see chapter 2). The only difference is in DNS configuration. Supposing that there is no domain server or any other DNS server in the filial’s network. The Kerio Control’s DNS module will be used as the primary DNS server. 3.1 Configuration of network interfaces of the Internet gateway Set a fixed IP address (e.g. 10.1.1.
Chapter 4 Interconnection of the headquarters and branch offices This chapter provides information on interconnection of headquarters and branch office servers by an encrypted channel (“VPN tunnel”). The following example describes only the basic configuration of a VPN tunnel between two networks. No tips related to access restrictions or other specific settings are included here. For example of a more complex VPN configuration, refer to the Kerio Control — User’s Guide document.
Interconnection of the headquarters and branch offices The headquarters uses IP addresses 192.168.1.x with the network mask 255.255.255.0 and with DNS domain company.com. The branch office uses IP addresses 10.1.1.x with network mask 255.255.255.0 and with the subdomain filial.company.com. 4.1 Headquarters configuration 1. In Kerio Control under Configuration / Interfaces select a VPN server, open its settings dialog and enable it.
identification of the VPN server. The fingerprint of the created SSL certificate will be required for definition of the VPN tunnel on the headquarters server (see chapter 4.1). Select it, copy it to the clipboard and paste it to an email message, text file, etc. Note: It is recommended to later replace this generated certificate with a certificate authorized by a reliable public certification authority. 2.
Appendix A Used open source items Kerio Control contains open-source software. Full source code packages for these components are available in the Software Archive at http://download.kerio.com/archive/.
Appendix B Legal Notices Microsoft , Windows , Windows NT and Active Directory are registered trademarks or trademarks of Microsoft Corporation. VMware is registered trademark of VMware, Inc. Other names of real companies and products mentioned in this document may be registered trademarks or trademarks of their owners.
