16.1  Setting Remote Administration

Remote administration can be either permitted or denied by definition of the appropriate traffic rule. Traffic between WinRoute and Administration Console is performed by TCP and UDP protocols over port 44333. The definition can be done with the predefined service KWF Admin.

If WinRoute includes only traffic rules generated by the wizard, remote administration is available through all interfaces except the one which is used for Internet connection and where NAT is enabled (see chapter 7.1  Network Rules Wizard). This means that remote administration is available from all local hosts.

How to allow remote administration from the Internet

In the following example we will demonstrate how to allow WinRoute remote administration from some Internet IP addresses.

  • Source — group of IP addresses from which remote administration will be allowed.

    For security reasons it is not recommended to allow remote administration from an arbitrary host within the Internet (this means: do not set Source as the Web interface).

  • DestinationFirewall (host where WinRoute is running)

  • ServiceKWF Admin (predefined service— WinRoute administration)

  • ActionPermit (otherwise remote administration would be blocked)

  • Translation — Because the engine is running on the firewall there is no need for translation.

Traffic rule that allows remote administration

Figure 16.1. Traffic rule that allows remote administration


Hint

The same method can be used to enable or disable remote administration of Kerio MailServer through WinRoute (the KMS Admin service can be used for this purpose).

Note: Be very careful while defining traffic rules, otherwise you could block remote administration from the host you are currently working on. If this happens, the connection between Administration Console and WinRoute Firewall Engine is interrupted (upon clicking on the Apply button in Configuration → Traffic Policy). Local connections (from the WinRoute Firewall Engine's host) works anyway. Such a traffic cannot be blocked by any rule.