Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » KWF 6.1.2 Policy for AD users not workin' for me :(
  •  
cordlesspass

Messages: 3
Karma: 0
Send a private message to this user
I try to deny access to ICQ. I've imported user "abcd" from AD. Created a rule, which denies access to icq login server by ip range. When I put "any computer" or smth like that in "source" of this rule, it works fine, but when I put this user it doesn't. User still can use icq. I tried to relogin by this user, restarted server & client even... nothing helped me Sad What am I doin' wrong? Server is on Win2003, client WinXP SP2. Thanks for help Wink
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Are you sure the user is logged into KWF when he uses ICQ?
  •  
cordlesspass

Messages: 3
Karma: 0
Send a private message to this user
What is the procedure of loggin' into KWF? I thought, that if user logged into AD & is imported from it to KWF & is usin' internet (for example) through server on which KWF is workin', then user is logged into KWF Sad So user can use icq even if there's a rule for him not to use it, by just not loggin' into KWF or what? How can I make procedure of loggin' into KWF by users obligatory? Plz not RTFM me Wink
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
You created a rule like this:

name: deny ICQ
source: user abcd
dest: internet
service: ICQ
action: deny or drop

Remember that a rule is applied to traffic if source/dest/service match. If one of those does not match the rule is not applied. If the user has not logged in on the firewall yet the traffic from his/her pc is not recognized as traffic from user abcd. This means there is no match for source so the rule is not applied. Somewhere lower in the traffic rule list is a rule that allows users to use ICQ. This rule matches and the not logged in user abcd is allowed to use ICQ. If the users logs in on the firewall the rule 'deny ICQ' will match and access will be denied.
  •  
cordlesspass

Messages: 3
Karma: 0
Send a private message to this user
My Rule sais:
Source: Any
Destination: 205.188.0.0-205.188.255.255
64.12.0.0-64.12.255.255
Service: Any
Action: Drop
All users can't use icq. If I change source to user abcd, then user abcd is able to use icq. What should I do to make to deny access to icq for user abcd? How to make him log into KWF? Maybe I should create a rule for all my network blokin' icq & should grant access to icq to users who need it? As I understand in that case they also should be logged into KWF, so how to make it?
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Please go into the Kerio Administrator and check if users are actually logged in... and tell us.

(You have to configure KWF to allow automatic authentication ('logging in') through Internet Explorer. This is not done out-of-the-box.)
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
If I setup a firewall I deny everything by default. Only traffic that need to pass the firewall will be allowed. So your case a general deny all rule should be in place (by default for KWF) and above that rule should be allow rules that are as strict as possible. If you specify a usergroup 'ICQ allowed' at source only logged in users that belong to that group can use ICQ.

If you have automatic authentication enabled (users / authentication options / web authentication / enable both options) a user that browses the internet will login automatically. When the user has logged in he/she can use ICQ because the user is known.
  •  
Almok

Messages: 18
Karma: 0
Send a private message to this user
feite, how can you explain the next thing I've met.
In Trafic Policy I've added ONLY "Authenticated users" to the Source of NAT and Firewall Rules, my users configured to logon automatically by IP. So - no choice to logon, and no inet access. Ok, I've changed Source th the Local Interface - works fine. Where is the logic?
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
Almok,

Could you show me a jpg of the firewall rules.
Previous Topic: DMZ with Winroute
Next Topic: How to set up Win2k4 + KWF to allow PPTP VPN connection for outside clients
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Nov 19 00:22:32 CET 2017

Total time taken to generate the page: 0.00545 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.