Web Interface Parameters Configuration
To define basic WinRoute Web interface parameters go to the Web Interface folder in Configuration / Advanced Options.
Enable Web Interface (HTTP)
This option enables unencrypted (HTTP) version of the Web interface (the port 4080 is used by default for this interface).
Enable Web Interface over SSL (HTTPS)
This option enables encrypted (HTTPS) version of the Web interface (the port 4081 is used by default for this interface).
WinRoute server name
Server DNS name that will be used for purposes of the Web interface (e.g. server.company.com). The name need not be necessarily identical with the host name, however, there must exist an appropriate entry in DNS for proper name resolution.
Note: If all clients accessing the Web Interface use the DNS Forwarder in WinRoute as a DNS server, there is no need to add the server name to DNS. The name is already known and combined with the name of the local domain see chapter DNS Forwarder).
Allow access only from these IP addresses
Select IP addresses which will always be allowed to connect to the Web interface (usually hosts in the local network). You can also click the Edit button to edit a selected group of IP addresses or to create a new IP group (details in chapter Address Groups).
Note: Access restrictions are applied to both unencrypted and encrypted versions of the Web interface.
In SSL Options you can set pages to which users will be redirected if the firewall requires user authentication (see chapter User Accounts).
-
Do not use SSL-secured interface users will be redirected to the unencrypted authentication page.
Warning: This option is not very secure (i.e. user passwords can be tapped). However, it can be quite safely used in a local network behind a firewall. It is also necessary to use this option if a valid SSL certificate is not available, or in case that any other technical problems arise.
-
Use SSL-secured interface only for login pages users will be automatically redirected to the secured authentication page. Other pages of the Web interface (e.g. denial information, error alerts, etc.) will not be encrypted.
-
Always use SSL-secured Web interface encrypted version will be used for all pages of the Web interface.
Web Interface: Advanced options
Advanced parameters for the Web interface can be set upon clicking on the Advanced button.
TCP ports
Use this section to set ports for unencrypted and encrypted versions of the Web interface (default ports are 4080 for the unencrypted and 4081 for the encrypted version of the Web interface).
TIP: If no WWW server is running on the WinRoute host, standard ports (i.e. 80 for HTTP and 443 for HTTPS) can be used for the Web interface. In such cases, the port number is not necessarily required in URLs for pages of the Web interfaces.
Warning: If any of the entries are specified by a port which is already used by another service or application, and the Apply button (in Configuration / Advanced Options) is clicked, WinRoute will accept this port, however, the Web interface will not run at the port and an error in the following format will be reported in the Error log (see chapter Error Log):
Socket error: Unable to bind socket for service to port 80.
(5002) Failed to start service "WebAdmin"
bound to address 192.168.1.10.
If you are not sure that specified ports are free, check the Error log immediately after clicking Apply to find out whether the corresponding error has been logged.
SSL certificate
Basic information (server name, name of the organization by which the certificate was issued) about currently used SSL certificate are provided in this section. Click the Change SSL certificate button to create a new certificate or to import a certificate issued by a public certification authority.
Server SSL certificate
The principle of an encrypted WinRoute Web interface is based on the fact that all communication between the client and server is encrypted to protect it from wiretapping and misuse of the transmitted data. The SSL protocol uses an asymmetric encryption first to facilitate exchange of the symmetric encryption key which will be later used to encrypt the transmitted data.
Two keys are used for the asymmetric encryption public to encrypt and private to decipher. The public (encrypting) key is available to all users that intend to connect to the server, whereas the private (deciphering) key is available for the server only and it must be kept close. The client also needs to verify the server's identity. For this purpose there is a so called certificate. The certificate contains the public key of the server, server name, information about validity and other data. To ensure authenticity of the certificate, it must be verified and subscribed by the third party, or certificate authority.
The communication between the client and server is as follows: the client generates a symmetrical key and encrypts it with the public key of the server (gained from the server certificate). The server deciphers it with the unique private key. Therefore, only these two parties know the symmetrical key.
Generate or Import Certificate
WinRoute provides a sample certificate for testing. You will find it in the server.crt file under the sslcert subdirectory where WinRoute is installed. The other file (server.key) includes the private key of the server. This certificate is identical in each WinRoute application. This means that only encrypted services will function, but practically no security is ensured (everyone knows the private key thus any user is allowed to decipher public communication).
Click on the Change SSL certificate (in the dialog for advanced settings for the Web interface) to view the dialog with the current server certificate. By selecting the Field (certificate entry) option you can view information either about the certificate issuer (Issuer) or about the subject (Subject) represented by your server.
To get your own unique certificate that you will use to authenticate identity of your server, use one of the two methods described below.
To create your own (self-signed) certificate click on the Generate certificate button in the dialog that displays the current server's certificate. Insert required data about the server and your company into the dialog entries. Only entries marked with an asterisk (*) are required.
Click on the OK button to view the Server SSL certificate dialog. The certificate will be started automatically (you will not need to restart your operating system).
A new (self-signed) certificate is unique. It is created by your company, addressed to your company and based on the name of your server. Unlike the testing version of the certificate, this certificate ensures your clients security, as only you know the private key and the identity of your server is guaranteed by the certificate. In their browsers, clients will be informed that the certificate authority is not reliable; however, they will install it into the browser as they trust the owner of this certificate. This ensures secure communication and there will be no more warnings displayed as the certificate has all the necessary features.
The other option is to get a signed certificate from a public certificate authority (e.g. Verisign, Thawte, SecureSign, SecureNet, Microsoft Authenticode, etc.). The certification process is quite complex and requires special technical knowledge. For detailed instructions contact Kerio technical support.
Web Interface Language Preferences
WinRoute's Web Interface is available in various languages. The language is set automatically according to each users' preferences defined in the Web browser (this function is available in most browsers). English will be used if no preferred language is available .
Individual language versions are saved in definition files in the weblang subdirectory under the directory where WinRoute is installed. Each language is represented by the two following files: xx.def and xx.res. The xx string stands for a standard language abbreviation that consists of two characters (i.e. en stands for English, etc.). The first rows of xx.def include appropriate language abbreviations (it is equal to the abbreviation contained in the file name). The second row contains coding used for the appropriate language (i.e. ISO-8859-1 is used for English). This coding must be used for both language files.
WinRoute administrators can easily modify texts of the Web Interface pages or create new language versions.
Note: Changes in the xx.def file will be applied after restarting the WinRoute Firewall Engine.
