Documentation for Kerio WinRoute

User Accounts

User accounts in WinRoute improve control of user access to the Internet from the local network. User accounts can be also used to access the WinRoute administration using the Kerio Administration Console. A basic administrator account is created during the WinRoute installation process. This account has full rights for WinRoute administration. It can be removed if there is at least one other account with full administration rights.

Note: If you have lost access to the WinRoute administration contact Kerio technical support.

Creating a New User Account

New user accounts can be defined in the User Accounts tab under Users and Groups / Users.

Use the Add button to open a dialog where new user accounts can be defined.

Step 1 basic information:

Username used to log into the program. Usernames are not case-sensitive.

Warning: We recommend not to use special characters (non-English languages) which might cause problems when authenticating via the Web interface.

Full name

Full name of the user (usually first name and surname of the user)

Description

More information about the user (e.g. grade, position within the company, etc.)

The Full Name and the Description items have informative values only. Any type of information can be included or the field can be left empty.

Email address

Email address of the user that alerts (see chapter Alerts) and other information (e.g. warning if a limit for data transmission is exceeded, etc.) will be sent to. A valid email address should be set for each user, otherwise some of the WinRoute features may not be used efficiently.

Note: A relay server must be set in WinRoute for each user, otherwise sending of alert messages to users will not function. For details, see chapter SMTP Relay.

Authentication

User authentication (see below)

Account is disabled

Suspension of a user account without removing it.

Note: For example, this option can be used to create a user account for a user that will not be used immediately (e.g. an account for a new employee who has not taken up yet).

Authentication options:

Internal User Database

User account information is stored locally to WinRoute. Passwords can be later edited using the Web interface see chapter Web Interface and User Authentication). NTLM authentication cannot be used for this authentication method.

Warning: Passwords can include printable characters only (letters, digits, punctuation) and are case-sensitive. We recommend not to use special characters (non-English languages) which might cause problems when authenticating to the Web interface.

Windows NT Domain

Users are authenticated in Windows NT Domain.

This method of authentication cannot be used unless WinRoute is running on Windows NT 4.0 / 2000 / XP operating systems.

NT domain / Kerberos 5

Users are authenticated through the Windows NT domain (Windows NT 4.0) or through the Active Directory (Windows 2000/2003).

Go to the Active Directory / NT domain tab to set parameters for user authentication through the NT domain or through the Active Directory.

Step 2 groups:

Groups into which the user will be included can be added or removed with the Add or the Remove button within this dialog (to create new groups go to User and Groups / Groups see chapter User Groups). Follow the same guidelines to add users to groups during group definition. It is not important whether groups or users are defined first.

TIP: While adding new groups you can mark more than one group by holding either the Ctrl or theShift key.

Step 3 access rights:

Each user must have one of the three types of access rights.

No access to administration

The user has no rights to access the WinRoute administration. This setting is commonly used for the majority of users.

Read only access to administration

The user can access WinRoute. He or she can read settings and logs but cannot edit them.

Full access to administration

The user can read or edit all the records and settings and his or her rights are equal to the administrator rights (Admin). If there is at least one user with the full access to the administration, the default Admin account can be removed.

Advanced options:

User can override WWW content rules

User can customize personal Web content filtering settings independently of the global configuration (for details, refer to Step 4).

User can unlock URL rules

This option allows the user to unlock Web pages with a forbidden content (the Unlock button will be available to the user in the denial page see details in chapter  URL Rules).

User can dial RAS connection

The user is allowed to dial RAS connection in the Web interface (see chapter Dial-up) or in the Administration Console (in case that the user also possesses at least read rights for more information, see chapter Interfaces).

Note: If the user does not possess this right, he/she will not be allowed to control RAS lines.

User can connect using VPN

The user is allowed to connect through WinRoute's VPN server (using Kerio VPN Client). For detailed information, refer to chapter Kerio VPN.

User is allowed to use P2P networks

Traffic of this user will not be blocked if P2P (Peer-to-Peer) networks are detected. Refer to chapter P2P Eliminator.

Step 4 quota for data transmission

Daily and monthly limit for volume of data transferred by a user, as well as actions to be taken when the quota is exceeded, can be set in this section.

Transfer quota

Limit settings

• Enable daily limit daily limit parameters.

  Use the Direction combo box to select which transfer direction will be controlled (download incoming data, upload outgoing data, all traffic both incoming and outgoing data).

  The limit can be set in the Quota entry using megabytes or gigabytes.

• Enable monthly limit monthly limit parameters. To set this quota, follow the same instructions as for the daily limit.

Quota exceed action

Set actions which will be taken whenever a quota is exceeded:

• Generate alert message only no limits will be applied to the user. This option can also be combined with the Notify user by email when quota is exceeded option (the user will only be warned about exceeding the quota).

• Do not allow the user to open new connections the user will be allowed to continue using the opened connections, however, will not be allowed to establish new connections (i.e. to connect to another server, download a file through FTP, etc.)

• Kill all the user's connections immediately all traffic of this user will be blocked without hesitation.

Notes:

1. Note: If a quota is exceeded, and a blocking action is taken, the restrictions will continue being applied until the end of the quota period (day or month). To cancel these restrictions before the end of a corresponding period, the following actions can be taken:

   • disable temporarily a corresponding limit, raise its value or switch to the Do not block anything mode

   • reset statistics of a corresponding user (see chapter User statistics).

2. Quota monitoring (taking actions when exceeded) may be undesirable if the user is authenticated at the firewall. In such case, all firewall traffic and all firewall user would be blocked.

   The Exclude firewall for quota actions option is available in the Quota / Statistics tab under Configuration / Advanced options. No action will be taken when the quota is exceeded by a user authenticated tat the firewall if this option is enabled. This option is enabled by default. See also chapter Preferences.

Check the Notify user by email when quota is exceeded option to enable sending of warning messages to the user in case that a quota is exceeded. A valid email address must be specified for the user (see Step 1). SMTP Relay must be set in WinRoute (see chapter SMTP Relay).

TIP: If you wish that your WinRoute administrator is also notified when a quota is almost exceeded, set the notification parameters in Configuration / Logs and Alerts. For details, refer to chapter Alerts.

Step 5 content rules

Within this step special content filter rules settings for individual users can be defined. Global rules (defined in the Content Rules tab in the Configuration / Content Filtering / HTTP Policy section) are used as default (when a new user account is defined). For details see chapter Content Rules).

Note: These settings are available to the user and can be changed in the corresponding page of WinRoute's Web interface (see chapter User Preferences).Users who are allowed to override content rules can customize their settings. Users who are not allowed to override rules can enable or/and disable only features which are available for them (set in their personal configuration).

Step 6 user's IP addresses

If a user works at a reserved workstation (i.e. this computer is not by any other user) with a fixed IP address (static or reserved at the DHCP server), the user can use automatic login from the particular IP address. This implies that whenever a connection attempt from this IP address is detected, WinRoute assumes that the connection is performed by the particular user and it does not require authentication. The user is logged-in automatically and all functions are available as if connected against the username and password.

This implies that only one user can be automatically authenticated from a particular IP address. When a user account is being created, WinRoute automatically detects whether the specified IP address is used for automatic login or not.

Automatic login can be set for the firewall (i.e. for the WinRoute host) or/and for any other host(s) (i.e. when the user connects also from an additional workstation, such as notebooks, etc.). An IP address group can be used for specification of multiple hosts (refer to chapter Address Groups).

Warning: Automatic login decreases user's security. If an unauthorized user works on the host for which automatic login is enabled, he/she automatically uses the identity of the host's user. Therefore, automatic login should be accompanied by another security feature, such as by user login to the operating system.

IP address which will be always assigned to the VPN client of the particular user can be specified under VPN client address. Using this method, a fixed IP address can be assigned to a user when he/she connects to the local network via the Kerio VPN Client. It is possible to add this IP to the list of IP addresses from which the user will be authenticated automatically.

For detailed information on the Kerio Technologies' proprietary VPN solution, refer to chapter Kerio VPN.

User Account Editing and Displaying Statistics

The Edit button opens a dialog for editing user account parameters. This dialog has all the properties of the Add User dialog window described above. All the setting options are included in one window only.