Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Best way of allowing Kerio Connect services using custom ports?
  •  
HPSmatt

Messages: 11
Karma: 0
Send a private message to this user
Currently I've been taking a look at the Kerio Control trial in a VM.

In the traffic rules when creating a rule Kerio Connect services already exist, however we run a web server on the same machine for a few intranet functions only (those services are only accessible to local clients or VPN connected users) so I have had to amend some of the default ports within Kerio Connect to allow them to run together.

What is the best way of handling this in the traffic rules so Kerio Connect can work securely? It appears the Kerio Services ports are fixed so would it be a case of adding a list of all the TCP port numbers and mapping them to the mail server static IP?
  •  
Brian Carmichael (Kerio)

Messages: 559
Karma: 55
Send a private message to this user
In your traffic rules you can change the destination port, but this would affect all services in the rule, so you would need to make a rule for each service where you are trying to do port address translation. If you are running multiple web services in your lan and you have only one routable Internet IP, you should look into the reverse proxy feature. Note that with this feature you can use notation of ip:port in the destination field to perform the same type of port redirecting.
http://kb.kerio.com/product/kerio-control/proxy-server/confi guring-the-reverse-proxy-1568.html

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
HPSmatt

Messages: 11
Karma: 0
Send a private message to this user
Thanks for the quick reply.

Would I still need or be better off setting up the proxy server when all the web servers only need to be accessible only to the LAN/VPN users?

Our public web server is hosted off-site elsewhere so internal web servers are normally just for administrating various servers and devices.

As long as these can all be done on the LAN or when connected in via a VPN that will be enough - and probably better for security.

I would aim for the same with Kerio Control itself i.e administration via LAN or VPN only.

Kerio Connect just needs to do mail and calendars to email client software on user computers and phones wherever the users may be at the time ie. work, home or on the go.

Looking at the list of ports here: http://kb.kerio.com/product/kerio-connect/server-configurati on/services/services-in-kerio-connect-1153.html

The ones I had to change in Kerio due to conflicts with other services running on the machine are LDAP, secure LDAP, HTTP, secure HTTP and IM messaging.
  •  
Brian Carmichael (Kerio)

Messages: 559
Karma: 55
Send a private message to this user
The reverse proxy only works for HTTP/HTTPS so it's not ideal in this case. For remote administration you can use MyKerio service. This way you don't have to expose your administration ports.
You indicated the services in conflict are XMPP(S), LDAP(S), and HTTP(S). You could remove these specific services from the default Kerio Connect services group and define individual rules for each of them so that you can set up the port redirection. You may not need LDAP as it's hardly used by any applications at this point. In your rules, make sure the source is "any" so that it will also apply to requests from inside your network.
You should consider virtualizing your systems so that you don't have to run conflicting services on the same OS.

[Updated on: Fri, 25 November 2016 17:52]


Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
HPSmatt

Messages: 11
Karma: 0
Send a private message to this user
Thanks Brian -makes sense, I'll take a look at removing the services from the preset and then setting up extra rules next week.

I already had in mind moving Kerio Connect to either a VM or it's own hardware as it makes sense for simplicity and reliability - I just need to find a convenient time to break off and do this. The new firewall is the priority at the moment.
Previous Topic: WAN tries to get DHCP from Control's LAN if DHCP is enabled
Next Topic: Shutdown kerio Control 8.5.1 by schedule
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Dec 09 16:25:10 CET 2016

Total time taken to generate the page: 0.00971 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.