Administrator's Guide - Kerio Software Archive
Administrator's Guide - Kerio Software Archive Administrator's Guide - Kerio Software Archive
User Authentication Redirection to the authentication page If the Always require users to be authenticated when accessing web pages option is enabled, user authentication will be required for access to any website (unless the user is already authenticated). The method of the authentication request depends on the method used by the particular browser to connect to the Internet: • Direct access — the browser will be automatically redirected to the authentication page of the Kerio Control’s web interface (see chapter 12.2) and, if the authentication is successful, to the solicited web page. • Kerio Control proxy server — the browser displays the authentication dialog and then, if the authentication is successful, it opens the solicited web page. If the Always require users to be authenticated when accessing web pages option is disabled, user authentication will be required only for Web pages which are not available (are denied by URL rules) to unauthenticated users (refer to chapter 13.2). Note: User authentication is used both for accessing a Web page (or/and other services) and for monitoring of activities of individual users (the Internet is not anonymous). Force non-transparent proxy server authentication Under usual circumstances, a user connected to the firewall from a particular computer is considered as authenticated by the IP address of the host until the moment when they log out manually or are logged out automatically for inactivity. However, if the client station allows multiple users connected to the computer at a moment (e.g. Microsoft Terminal Services, Citrix Presentation Server orFast user switching on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008), the firewall requires authentication only from the user who starts to work on the host as the first. The other users will be authenticated as this user. In case of HTTP and HTTPS, this technical obstruction can be passed by. In web browsers of all clients of the multi-user system, set connection to the Internet via the Kerio Control’s proxy server (for details, see chapter 9.4), and enable the Enable non-transparent proxy server option in Kerio Control. The proxy server will require authentication for each new session of the particular browser. 6 . Forcing user authentication on the proxy server for initiation of each session may bother users working on “single-user” hosts. Therefore, it is desirable to force such authentication only for hosts used by multiple users. For this purpose, you can use the Apply only for these IP addresses option. Automatic authentication (NTLM) If the Enable user authentication automatically... option is checked and Internet Explorer or Firefox/SeaMonkey is used, it is possible to authenticate the user automatically using the NTLM method. This means that the browser does not require username and password and simply uses the identity of the first user connected to Windows. However, the NTLM method is not 6 Session is every single period during which a browser is running. For example, in case of Internet Explorer, Firefox and Opera, a session is terminated whenever all windows and tabs of the browser are closed, while in case of SeaMonkey, a session is not closed unless the Quick Launch program is stopped (an icon is displayed in the toolbar’s notification area when the program is running). 162
11.1 Firewall User Authentication available for other operating systems. For details, refer to chapter 25.3. Automatically logout users when they are inactive Timeout is a time interval (in minutes) of allowed user inactivity. When this period expires, the user is automatically logged out from the firewall. The default timeout value is 120 minutes (2 hours). This situation often comes up when a user forgets to logout from the firewall. Therefore, it is not recommended to disable this option, otherwise login data of a user who forgot to logout might be misused by an unauthorized user. 163
- Page 111 and 112: 7.9 Media hairpinning the port of t
- Page 113 and 114: 8.1 Network intrusion prevention sy
- Page 115 and 116: 8.1 Network intrusion prevention sy
- Page 117 and 118: 8.2 MAC address filtering Figure 8.
- Page 119 and 120: 8.3 Special Security Settings Anti-
- Page 121 and 122: 8.4 P2P Eliminator Figure 8.5 Detec
- Page 123 and 124: 8.4 P2P Eliminator The Define servi
- Page 125 and 126: 9.1 DNS module of the firewall’s
- Page 127 and 128: 9.1 DNS module Figure 9.2 Editor of
- Page 129 and 130: 9.1 DNS module Figure 9.3 Specific
- Page 131 and 132: 9.2 DHCP server If the Do not forwa
- Page 133 and 134: 9.2 DHCP server Figure 9.5 DHCP ser
- Page 135 and 136: 9.2 DHCP server Figure 9.7 DHCP ser
- Page 137 and 138: 9.2 DHCP server Figure 9.9 DHCP ser
- Page 139 and 140: 9.2 DHCP server Leases IP scopes ca
- Page 141 and 142: 9.2 DHCP server Figure 9.13 DHCP se
- Page 143 and 144: 9.3 Dynamic DNS for public IP addre
- Page 145 and 146: 9.4 Proxy server Proxy Server Confi
- Page 147 and 148: 9.5 HTTP cache Note: The configurat
- Page 149 and 150: 9.5 HTTP cache other objects can be
- Page 151 and 152: 9.5 HTTP cache TTL TTL of objects m
- Page 153 and 154: Chapter 10 Bandwidth Limiter The ma
- Page 155 and 156: 10.2 Bandwidth Limiter configuratio
- Page 157 and 158: 10.2 Bandwidth Limiter configuratio
- Page 159 and 160: 10.3 Detection of connections with
- Page 161: 11.1 Firewall User Authentication T
- Page 165 and 166: 12.1 Web interface and certificate
- Page 167 and 168: 12.2 User authentication at the web
- Page 169 and 170: Chapter 13 HTTP and FTP filtering K
- Page 171 and 172: 13.2 URL Rules Rules in this sectio
- Page 173 and 174: 13.2 URL Rules for example a rule a
- Page 175 and 176: 13.2 URL Rules • A page informing
- Page 177 and 178: 13.3 Content Rating System (Kerio W
- Page 179 and 180: 13.3 Content Rating System (Kerio W
- Page 181 and 182: 13.4 Web content filtering by word
- Page 183 and 184: 13.4 Web content filtering by word
- Page 185 and 186: 13.5 FTP Policy Weight Word weight
- Page 187 and 188: 13.5 FTP Policy Open the General ta
- Page 189 and 190: 13.5 FTP Policy Scan content for vi
- Page 191 and 192: 14.2 How to choose and setup antivi
- Page 193 and 194: 14.2 How to choose and setup antivi
- Page 195 and 196: 14.3 HTTP and FTP scanning Warning:
- Page 197 and 198: 14.3 HTTP and FTP scanning Use the
- Page 199 and 200: 14.4 Email scanning If only an aste
- Page 201 and 202: 14.4 Email scanning Figure 14.9 Set
- Page 203 and 204: 14.5 Scanning of files transferred
- Page 205 and 206: 15.2 Time Ranges Figure 15.2 IP gro
- Page 207 and 208: 15.3 Services Figure 15.4 Time rang
- Page 209 and 210: 15.3 Services Protocol The communic
- Page 211 and 212: 15.4 URL Groups Note: 1. Generally,
11.1 Firewall User Authentication<br />
available for other operating systems.<br />
For details, refer to chapter 25.3.<br />
Automatically logout users when they are inactive<br />
Timeout is a time interval (in minutes) of allowed user inactivity. When this period<br />
expires, the user is automatically logged out from the firewall. The default timeout value<br />
is 120 minutes (2 hours).<br />
This situation often comes up when a user forgets to logout from the firewall. Therefore,<br />
it is not recommended to disable this option, otherwise login data of a user who forgot<br />
to logout might be misused by an unauthorized user.<br />
163