Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » unrecognized user statistics
  •  
LinuxMan

Messages: 5
Karma: 0
Send a private message to this user
Hello;

I have enabled "Always require users to be authanticated when accessing web pages" but I see "unrecognized user statistics" increasing every day
  •  
Grimson

Messages: 8
Karma: 0
Send a private message to this user
My guess is that only 'Web' Activity is monitored and all other data / traffic like SMTP / FTP / Site to site VPN etc. is not.
Users do not have to authenticate for services other than HTTP so therefore this data is unaccounted for.

[Updated on: Wed, 30 May 2007 21:46]

  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Well, you could configure KWF so that KWF won't route anything, unless the user is logged on. Works fine here. If someone wants to, say, FTP, (s)he first has to go to any web page so the KWF login page appears. Only after login in will any other protocol work (if they have the proper rights for that protocol of course).

Only thing the above won't work with is HTTPS. For some reason, anyone can reach any HTTPS site. For HTTPS it either seems a total on or total off, no control over it. It does not even require authentication.
  •  
LinuxMan

Messages: 5
Karma: 0
Send a private message to this user
Thanks;
How to do that, I explored kerio admin tool many times but i couldn't found solution for it.
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
LinuxMan wrote on Thu, 31 May 2007 09:52

Thanks;
How to do that, I explored kerio admin tool many times but i couldn't found solution for it.

Well, that's up to you, how you want to configure and manage the firewall. There's no one way of doing this.

I have created different groups for different 'protocol rights'. For example a group called 'IP-PORTS - FTP'. Then create separate Traffic Policies that allow the right ports for the right groups (FTP and FTPS ports for the group mentioned above). I have separate groups for email ports, ldap ports, telnet, etc. etc. With the correct groups and Traffic Rules it becomes really easy to allow (or disallow) someone a specific protocol: simply make him/her member of the right groups.

You don't have to group for HTTP(S) access. Just create a Traffic Policy allowing this for the LAN interface. It might look like you are allowing everyone HTTP access this way, but that's not true if you've configured KWF to require authentication.

Mind the order and put the rule allowing HTTP traffic on top of all the 'allow' rules. (Of course, put all the 'deny' rules above the 'allow' rules.) Finally, make sure there's a 'deny everything for everyone' rule at the bottom so that everything not explicitly allowed is denied.

Because with the above anyone with an account can use the Internet, I have created an additional group of PC's that are blocked regardless of the account. Passwords are easily shared between users and I don't want these PC's to have Internet access period. (Of course, there's an additional rule that allows me (or the admins) Internet access on these blocked PC's anyway, to do updates and stuff.)

You can do a similar thing for sorting out websites. Create different groups for different sets or types (if you have the OrangeWeb filter) of websites and create the appropriate URL rules to go with it.

Finally, make sure you've set the security rules properly to make sure everybody is obliged to authenticate.

Well, in the end the firewall configuration is like a structure you're building up during use. Just make sure you have the proper 'architecture' to easily allow for this. And do not make the rule-set too complicated, that way it becomes unmanageable.

In the end it took me quite some time to get it all right. But along the way you really get to know the product, so that's fine.

Good luck!
Previous Topic: help me pleaseeeeeeeeeeeeeeee
Next Topic: rules not apply
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Nov 20 20:15:37 CET 2017

Total time taken to generate the page: 0.00410 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.