Any user with their own account in WinRoute can authenticate at the firewall (regardless their access rights). Users can connect:
Manually — by opening the WinRoute web interface in their browser
https://server:4081/
or http://server:4080/
(the name of the server and the port numbers are examples only — see chapter 11 Web Interface).
It is also possible to authenticate for viewing of the web statistics (see chapter 21 Kerio StaR — statistics and reporting) at
https://server:4081/star
or http://server:4080/star
Note: Login to the Web Administration interface at
https://server:4081/admin
or http://server:4080/admin
is not equal to user authentication at the firewall (i.e. the user does not get authenticated at the firewall by the login)!
Automatically — IP addresses of hosts from which they will be authenticated automatically can be associated with individual users. This actually means that whenever traffic coming from the particular host is detected, WinRoute assumes that it is currently used by the particular user , and the user is considered being authenticated from the IP address. However, users may authenticate from other hosts (using the methods described above).
IP addresses for automatic authentication can be set during definition of user account (see chapter 15.1 Viewing and definitions of user accounts).
This authentication method is not recommended for cases where hosts are used by multiple users (user's identity might be misused easily).
Redirection — when accessing any website (unless access to this page is explicitly allowed to unauthenticated users — see chapter 12.2 URL Rules).
Login by re-direction is performed in the following way: user enters URL pages that he/she intends to open in the browser. WinRoute detects whether the user has already authenticated. If not, WinRoute will re-direct the user to the login page automatically. After a successful login, the user is automatically re-directed to the requested page or to the page including the information where the access was denied.
Note: Users will be redirected to a secured or unsecured web interface according to the fact which version of web interface is allowed (see chapter 11.1 Web interface preferences). If both versions are allowed, the secured web interface will be used.
Using NTLM — if Internet Explorer or Firefox/SeaMonkey is used and the user is authenticated in a Windows NT domain or Active Directory, the user can be authenticated automatically (the login page will not be displayed). For details, see chapter 25.3 Automatic user authentication using NTLM.
Login/logout parameters can be set on the Authentication Options tab under Users and Groups → Users.
If the Always require users to be authenticated when accessing web pages option is enabled, user authentication will be required for access to any website (unless the user is already authenticated). The method of the authentication request depends on the method used by the particular browser to connect to the Internet:
Direct access — the browser will be automatically redirected to the authentication page of the WinRoute's web interface (see chapter 11.2 User authentication at the web interface) and, if the authentication is successful, to the solicited web page.
WinRoute proxy server — the browser displays the authentication dialog and then, if the authentication is successful, it opens the solicited web page.
If the Always require users to be authenticated when accessing web pages option is disabled, user authentication will be required only for Web pages which are not available (are denied by URL rules) to unauthenticated users (refer to chapter 12.2 URL Rules).
Note: User authentication is used both for accessing a Web page (or/and other services) and for monitoring of activities of individual users (the Internet is not anonymous).
Under usual circumstances, a user connected to the firewall from a particular computer is considered as authenticated by the IP address of the host until the moment when they log out manually or are logged out automatically for inactivity. However, if the client station allows multiple users connected to the computer at a moment (e.g. Microsoft Terminal Services, Citrix Presentation Server orFast user switching on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008), the firewall requires authentication only from the user who starts to work on the host as the first. The other users will be authenticated as this user.
In case of HTTP and HTTPS, this technical obstruction can be passed by. In web browsers of all clients of the multi-user system, set connection to the Internet via the WinRoute's proxy server (for details, see chapter 8.4 Proxy server), and enable the Enable non-transparent proxy server option in WinRoute. The proxy server will require authentication for each new session of the particular browser.[5].
Forcing user authentication on the proxy server for initiation of each session may bother users working on “single-user” hosts. Therefore, it is desirable to force such authentication only for hosts used by multiple users. For this purpose, you can use the Apply only for these IP addresses option.
If the Enable user authentication automatically... option is checked and Internet Explorer (version 5.01 or later) or Firefox/SeaMonkey (core version 1.3 or later) is used, it is possible to authenticate the user automatically using the NTLM method.
This means that the browser does not require username and password and simply uses the identity of the first user connected to Windows. However, the NTLM method is not available for other operating systems.
For details, refer to chapter 25.3 Automatic user authentication using NTLM.
Timeout is a time interval (in minutes) of allowed user inactivity. When this period expires, the user is automatically logged out from the firewall. The default timeout value is 120 minutes (2 hours).
This situation often comes up when a user forgets to logout from the firewall. Therefore, it is not recommended to disable this option, otherwise login data of a user who forgot to logout might be misused by an unauthorized user.
[5] Session is every single period during which a browser is running. For example, in case of Internet Explorer, Firefox and Opera, a session is terminated whenever all windows and tabs of the browser are closed, while in case of SeaMonkey, a session is not closed unless the Quick Launch program is stopped (an icon is displayed in the toolbar's notification area when the program is running).