Local accounts are accounts created in the Administration Console or imported from a domain. These accounts are stored in the WinRoute's configuration database (in the userDB.cfg
file under the WinRoute's installation directory). These accounts can be useful especially in domainless environments or for special purposes (e.g. firewall's administration).
Regardless on the method used for creation of the account, each user can be authenticated through the WinRoute's internal database, Active Directory or Windows NT domain.
A basic administrator account is created during the WinRoute installation process. This account has full rights for WinRoute administration. It can be removed if there is at least one other account with full administration rights.
All passwords should be kept safe and secret, otherwise they might be misused by an unauthorized person.
If all accounts with full administration rights are removed and connection to Administration Console is closed, it is not possible to connect to the WinRoute administration any longer. Under these conditions, a local user account (Admin
with a blank password) will be created automatically upon the next start of the WinRoute Firewall Engine.
If the administration password is forgotten, contact our technical support at http://www.kerio.com/.
Open the User Accounts tab in the User and groups → Users section. In the Domain combo box, select Local User Database.
Click on the
button to open a guide to create a new user account.Username used for login to the account.
The user name is not case-sensitive. We recommend not to use special characters (non-English languages) which might cause problems when authenticating at the Web interface or the SSL-VPN interface.
A full name of the user (usually first name and surname).
User description (e.g. a position in a company).
The Full Name and the Description items have informative values only. Any type of information can be included or the field can be left empty.
Email address of the user that alerts (see chapter 19.4 Alerts) and other information (e.g.alert if a limit for data transmission is exceeded, etc.) will be sent to. A valid email address should be set for each user, otherwise some of the WinRoute features may not be used efficiently.
Note: A relay server must be set in WinRoute for each user, otherwise sending of alert messages to users will not function. For details, refer to chapter 18.3 Relay SMTP server.
User authentication (see below)
Temporary blocking of the account so that you do not have to remove it.
Note: For example, this option can be used to create a user account for a user that will not be used immediately (e.g. an account for a new employee who has not taken up yet).
Define parameters for the corresponding user account (access rights, data transfer quotas and content rules). These parameters can be defined by the template of the domain (see chapter 15.1 Viewing and definitions of user accounts) or they can be set especially for the corresponding account.
Using a template is suitable for common accounts in the domain (common user accounts). Definition of accounts is simpler and faster, if a template is used.
Individual configuration is recommended especially for accounts with special rights (e.g. WinRoute administration accounts). Usually, there are not many such accounts which means their configuration comfortable.
User account information is stored locally to WinRoute. In such a case, specify the Password and Confirm password items (later, the password can be edited in the Web interface — see chapter 11 Web Interface).
Passwords may contain printable symbols only (letters, numbers, punctuation marks). Password is case-sensitive. We recommend not to use special characters (non-English languages) which might cause problems when authenticating via the Web interface.
NTLM authentication cannot be used for automatic authentication method by NTLM (refer to chapter 25.2 Automatic user authentication using NTLM).. These accounts also cannot be used for authentication to the Clientless SSL-VPN interface (see chapter 24 Kerio Clientless SSL-VPN).
Users are authenticated through the Windows NT domain (Windows NT 4.0) or through the Active Directory (Windows 2000/2003/2008).
Go to the Users section of the Active Directory / NT domain tab to set parameters for user authentication through the Windows NT domain or/and through the Active Directory. If Active Directory authentication is set also for Windows NT domain, then Active Directory will be preferred.
Note: User accounts with this type of authentication set will not be active unless authentication through Active Directory or/and NT domain is enabled. For details, see chapter 15.3 Local user database: external authentication and import of accounts.
Groups into which the user will be included can be added or removed with the 15.5 User groups). Follow the same guidelines to add users to groups during group definition. It is not important whether groups or users are defined first.
or the button within this dialog (to create new groups go to — see chapterWhile adding new groups you can mark more than one group by holding either the Ctrl or theShift key.
Each user must be assigned one of the following three levels of access rights.
The user has no rights to access the WinRoute administration. This setting is commonly used for the majority of users.
The user can access WinRoute. He or she can read settings and logs but cannot edit them.
These users have full rights to administration and are equal to the Admin account. If there is at least one user with the full access to the administration, the default Admin
account can be removed.
Additional rights:
User can customize personal web content filtering settings independently of the global configuration (for details, refer to Step 5).
If this option is checked, the user is allowed to bypass the rule denying access to the queried website — at the page providing information about the denial, the Unlock button is displayed. The unlock feature must also be enabled in the corresponding URL rule (for details, refer to chapter 12.2 URL Rules).
If the Internet connection uses dial-up lines, users with this right will be allowed to dial and hang up these lines in the Web interface (see chapter 11 Web Interface).
The user is allowed to connect through WinRoute's VPN server (using Kerio VPN Client). For detailed information, see chapter 23 Kerio VPN.
The user will be allowed to access shared files and folders in the local network via the Clientless SSL-VPN web interface. For details, see chapter 24 Kerio Clientless SSL-VPN.
Traffic of this user will not be blocked if P2P (Peer-to-Peer) networks are detected. For details, see chapter 17.1 P2P Eliminator.
This user will be allowed to view firewall statistics in the web interface (see chapter 11 Web Interface).
Access rights can also be defined by a user account template.
Daily and monthly limit for volume of data transferred by a user, as well as actions to be taken when the quota is exceeded, can be set in this section.
Setting of daily, weekly and monthly limit of volume of transferred data for the user.
Use the Direction combo box to select which transfer direction will be controlled (download — incoming data, upload — outgoing data, all traffic — both incoming and outgoing data).
The limit can be set in the Quota entry using megabytes or gigabytes.
Set actions which will be taken whenever a quota is exceeded:
Block any further traffic — the user will be allowed to continue using the opened connections, however, will not be allowed to establish new connections (i.e. to connect to another server, download a file through FTP, etc.)
Don't block further traffic (Only limit bandwidth...) — Internet connection speed (so called bandwidth) will be limited for the user. Traffic will not be blocked but the user will notice that the Internet connection is slower than usual (this should make such users to reduce their network activities). For detailed information, see chapter 9 Bandwidth Limiter.
Check the Notify user by email when quota is exceeded option to enable sending of warning messages to the user in case that a quota is exceeded. A valid email address must be specified for the user (see Step 1). SMTP Relay must be set in WinRoute (see chapter 18.3 Relay SMTP server).
If you wish that your WinRoute administrator is also notified when a quota is almost exceeded, set the alert parameters in Configuration → Accounting. For details, refer to chapter 19.4 Alerts.
Note:
If a quota is exceeded and the traffic is blocked in result, the restrictions will continue being applied until the end of the quota period (day or month). To cancel these restrictions before the end of a corresponding period, the following actions can be taken:
disable temporarily a corresponding limit, raise its value or switch to the Don't block further traffic mode
resetting of the data volume counter of the user (see chapter 20.1 Volume of transferred data and quota usage).
Actions for quota-exceeding are not applied if the user is authenticated at the firewall. This would block all firewall traffic as well as all local users. However, transferred data is included in the quota!
Data transfer quota and actions applied in response can also be set by a user account template.
In the WWW content scanning options section, special content filter rules settings for individual users can be defined. Global rules (defined in the Content Rules tab in the Configuration → Content Filtering → HTTP Policy section) are used as default (when a new user account is defined). For details, see chapter 12.3 Global rules for Web elements.
The Language options section allows setting of preferred language of the WinRoute's web interface (including the Kerio StaR interface). The browser detected option sets preferred language in accordance with settings in user's web browser and uses the language with the highest preference rate available. English will be used if none of other preferred languages is available.
Preferred language also applies to email alerts sent by the firewall (notices of reaching of data transfer quota, detected viruses, detected P2P networks, etc.). If language is detected and set by using user's web browser preferences, language set as preferred for the previous user's login to the web interface will be used. If the user has not logged into the web interface before, alerts will be in English.
Note: These settings can be customized at a corresponding page of the WinRoute's Web interface (see Kerio WinRoute Firewall — User's Guide). If the user can override content rules, any changes can be made. Users who are not allowed to override rules can enable or/and disable only features which are available for them (set in their personal configuration). Language preferences can be changed whenever needed (settings also apply to the Administration Console).
Content rules can also be defined by a user account template.
If a user works at a reserved workstation (i.e. this computer is not by any other user) with a fixed IP address (static or reserved at the DHCP server), the user can use automatic login from the particular IP address. This implies that whenever a connection attempt from this IP address is detected, WinRoute assumes that the connection is performed by the particular user and it does not require authentication. The user is logged-in automatically and all functions are available as if connected against the username and password.
This implies that only one user can be automatically authenticated from a particular IP address. When a user account is being created, WinRoute automatically detects whether the specified IP address is used for automatic login or not.
Automatic login can be set for the firewall (i.e. for the WinRoute host) or/and for any other host(s) (i.e. when the user connects also from an additional workstation, such as notebooks, etc.). An IP address group can be used for specification of multiple hosts (refer to chapter 14.1 IP Address Groups).
Automatic login decreases user's security. If an unauthorized user works on the computer for which automatic login is enabled, he/she uses the identity of the host's user who is authenticated automatically. Therefore, automatic login should be accompanied by another security feature, such as by user login to the operating system.
IP address which will be always assigned to the VPN client of the particular user can be specified under VPN client address. Using this method, a fixed IP address can be assigned to a user when he/she connects to the local network via the Kerio VPN Client. It is possible to add this IP to the list of IP addresses from which the user will be authenticated automatically.
For detailed information on the Kerio Technologies' proprietary VPN solution, refer to chapter 23 Kerio VPN.