Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » AD Login & Group Restrictions
  •  
EverBlue

Messages: 4
Karma: 0
Send a private message to this user
Dear All,

I have been reading the knowledge base and forum topics since 15 days now and couldn't really find what I need. Below is the description of my system:

Interface1: Internet
Interface2: LAN
NAT: enabled
DHCP: Off (we use manual ip addresses)
Active Directory in a seperate computer with users and groups
Groups:
1-No Restrictions
2-Full Access (limited download/upload)
3-Limited Access (certain websites)
4-Email Only (POP3)

I would like to:

1. enable domain authentication (i managed to get it done once but it stopped working again. right now if I login through AD, i can't authenticate in winroute). I have read the kb http://support.kerio.com/index.php?_m=knowledgebase&_a=v iewarticle&kbarticleid=77&nav=0,2 on how to configure it, but doesn't work now.

2. I have created the below traffic policy to restrict unauthenticated users from accessing any services on the internet. It works fine except if the user is not loged in, this rule prevents the winroute login page as well. Since my domain authentication doesn't work users can't access anything. How can I enable winroute login page access in this scenario?
Name: NAT
Source: Authenticated users
Destination: Internet
Service: Any
Default NAT

3. How can I create rules based on the groups that I have created?


4. Auto Logout: I have read the kb http://support.kerio.com/index.php?_m=knowledgebase&_a=v iewarticle&kbarticleid=408&nav=0,2 but it doesn't work. I don't really know how to provide more information to get replies

5. Winxp hibernate: Some of my users are using laptops and when going home, they do not log off or turn off their computers but rather hibernate or make it sleep. the next day when they come and open their computers, they will be only asked to supply a password which will give them access to AD. Now they can't get access to winroute as they haven't properly logged in the domain. Is there a workout for this?

6. Is there a possibility to restrict multiple instances of a username in winroute?

Many thanks in advance.
  •  
EverBlue

Messages: 4
Karma: 0
Send a private message to this user
Looks like nobody pays attention to this post.

I have found the answer to my questions 2nd and 3rd and am pasting below, would help others.

To allow traffic access to certain users or ip group, you need to create the following rule.

Name: NAT

Source: (Authenticated users or ip group), firewall,dns server(ip address or name),

Destination: Internet
Service: Any (or limited based on your requirements)

Default NAT


The only change is that you need to add (dns server ip or name) and the firewall computer as well.
Previously I was adding only (authenticated users or ip group) and forgot to put the dns.

Thanks
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
It's 'better' to let KWF function as DNS Forwarder. That way, DNS services are available to anyone on your local LAN (if, as by default, you allow connections on all ports to the Firewall itself). This also allows you to control DNS request yourself, possible using local addresses for LAN machines that are also available from the Internet, etc.

And then you'd not have to enable a rule to allow DNS requests to flow to your ISP.
  •  
dougchil

Messages: 3
Karma: 0
Send a private message to this user
i have problem 4 as well the cause seems to be an interface design change when STaR came on the scene and the knowledge base article does not reflect the change
Previous Topic: filter yahoo messenger
Next Topic: blocking yahoo messegner
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 18 16:55:53 CET 2017

Total time taken to generate the page: 0.00447 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.