Remote administration is connection to the firewall, its monitoring and configuration changes with the Administration Console or woth the Web Administration interface from another host that the one on which WinRoute is installed.
If WinRoute includes only traffic rules created automatically by the wizard (see chapter 7.1 Network Rules Wizard), access to the remote administration is allowed via all trustworthy network interfaces (see chapter 5 Network interfaces). This means that remote administration is available from all local hosts.
To allow or deny remote administration via the Internet (non-trusted networks), define a corresponding traffic rule. Traffic between WinRoute and Administration Console is performed by TCP and UDP protocols over port 44333
. The definition can be done with the predefined service KWF Admin. the secured version of the Web Administration interface use TCP protocol, on port 4081
by default — predefined KWF WebAdmin-SSL sevice.
In the following example we will demonstrate how to allow WinRoute remote administration from some Internet IP addresses.
Source — group of IP addresses from which remote administration will be allowed (see chapter 14.1 IP Address Groups).
For security reasons it is not recommended to allow remote administration from an arbitrary host within the Internet (this means: do not set Source as Any or as Internet)!
Destination — Firewall (host where WinRoute is installed).
Service — KWF Admin (connection with the Administration Console) and KWF WebAdmin-SSL (secured version of the Web Administration interface).
It is not recommended to allow access via the unsecured version of the Web Administration interface (theKWF WebAdmin service)! Unsecured traffic might be tapped and misused for assaulting the firewall and local hosts behind it.
Action — Permit (otherwise remote administration would be blocked)
Translation — Because the engine is running on the firewall there is no need for translation.
In WinRoute, you can use a similar method to allow or block remote administration of Kerio MailServer — for connection via the Administration Console, use the predefined service KMS Admin, for the Web Administration use HTTPS.
Note: Be very careful while defining traffic rules, otherwise you could block remote administration from the host you are currently working on. However, in most cases, WinRoute recognizes such situation and shows a warning message. Local connections (from the WinRoute Firewall Engine's host) works anyway. Such a traffic cannot be blocked by any rule.