To define basic WinRoute Web interface parameters go to the Web Interface folder in Configuration → Advanced Options.
Note: In WinRoute for Windows, the Web Interfaces tab includes also options for Kerio SSL-VPN. For detailed information on this component, see chapter 24 Kerio Clientless SSL-VPN (Windows).
Use this option to open the unsecured version (HTTP) of the Web interface The default port for this unsecured interface is 4080
.
Note: The main disadvantage of usage of the unsecured web interface is that the network traffic may be tapped and user login data might be misused. Therefore, the secured web interface should be preferred.
Use this option to open the secured version (HTTPS) of the Web interface The default port for this interface is 4081
.
Server DNS name that will be used for purposes of the Web interface (e.g. server.company.com
).
The name need not be necessarily identical with the host name, however, there must exist an appropriate entry in DNS for proper name resolution. The SSL certificate for the secure web interface (see below) should be also issued for the server (i.e. the server name).
The server name is also used in case that WinRoute needs redirect the browser to the login page (for example if an unauthenticated user attempts to open a web page where authentication is required — see chapters 10.1 Firewall User Authentication and 12.2 URL Rules).
Notes:
If all clients accessing the web interface use the DNS module in WinRoute as a DNS server, there is no need to add the server name to DNS. The name is already known and combined with the name of the local domain — see chapter 8.1 DNS module).
In the Software Appliance / VMware Virtual Appliance edition, name of the server defined on the System Configuration tab is set automatically in this item — see chapter 16.1 System configuration (Software Appliance / VMware Virtual Appliance).
Select IP addresses which will always be allowed to connect to the Web interface (usually hosts in the local network). You can also click the 14.1 IP Address Groups).
button to edit a selected group of IP addresses or to create a new IP group (details in chapterAccess restrictions are applied to both unencrypted and encrypted versions of the Web interface.
Advanced parameters for the Web interface can be set upon clicking on the
button.
Use the TCP ports section to set ports for unencrypted and encrypted versions of the Web interface (default ports are 4080
for the unencrypted and 4081
for the encrypted version of the Web interface).
Hint: If no WWW server is running on the WinRoute host, the standard port of the HTTP protocol (i.e. 80
) can be used for the unsecured web interface and the standard port of the HTTPS protocol (i.e. port 443
) for the secured web interface. If standard ports are used, the port number is not necessarily required in URLs for pages of the web interface.
However, in WinRoute for Windows, the standard HTTPS port (443
) uses the Clientless SSL-VPN interface (see chapter 24 Kerio Clientless SSL-VPN (Windows)). Therefore, it cannot be used for secured web interface in the default configuration.
If any of the entries are specified by a port which is already used by another service or application, and the Configuration → Advanced Options) is clicked, WinRoute will accept this port, however, the Web interface will not run at the port and an error in the following format will be reported in the Error log (see chapter 22.8 Error Log):
button (inSocket error: Unable to bind socket for service to port 80. (5002) Failed to start service "WebInterface" bound to address 192.168.1.10.
If you are not sure that specified ports are free, check the Error log immediately after clicking to find out whether the corresponding error has been logged.
The principle of an encrypted WinRoute Web interface is based on the fact that all communication between the client and server is encrypted to protect it from wiretapping and misuse of the transmitted data. The SSL protocol uses an asymmetric encryption first to facilitate exchange of the symmetric encryption key which will be later used to encrypt the transmitted data.
The asymmetric cipher uses two keys: a public one for encrypting and a private one for decrypting. As their names suggest, the public (encrypting) key is available to anyone wishing to establish a connection with the server, whereas the private (decrypting) key is available only to the server and must remain secret. The client, however, also needs to be able to identify the server (to find out if it is truly the server and not an impostor). For this purpose there is a certificate, which contains the public server key, the server name, expiration date and other details. To ensure the authenticity of the certificate it must be certified and signed by a third party, the certification authority.
Communication between the client and server then follows this scheme: the client generates a symmetric encryption key for and encrypts it with the public server key (obtained from the server certificate). The server decrypts it with its private key (kept solely by the server). Thus the symmetric key is known only to the server and client. This key is then used for encryption and decipher any other traffic.
During WinRoute installation, a testing certificate for the SSL-secured Web interface is created automatically (it is stored in the sslcert
subdirectory under the WinRoute's installation directory, in the server.crt
file; the private key for the certificate is saved as server.key
). The certificate created is unique. However, it is issued against a non-existing server name and it is not issued by a trustworthy certificate authority. This certificate is intended to ensure functionality of the secured Web interface (usually for testing purposes) until a new certificate is created or a certificate issued by a public certificate authority is imported.
Click on the Field (certificate entry) option you can view information either about the certificate issuer or about the subject represented by your server.
(in the dialog for advanced settings for the Web interface) to view the dialog with the current server certificate. By selecting theYou can obtain your own certificate, which verifies your server's identity, by two means.
You can create your own self-signed certificate. Click *
) are required.
Click on the Server SSL certificate dialog. The certificate will be started automatically (you will not need to restart your operating system). When created, the certificate is saved as server.crt
and the corresponding private key as server.key
.
A new (self-signed) certificate is unique. It is created by your company, addressed to your company and based on the name of your server. Unlike the testing version of the certificate, this certificate ensures your clients security, as it is unique and the identity of your server is guaranteed by it. Clients will be warned only about the fact that the certificate was not issued by a trustworthy certification authority. However, they can install the certificate in the browser without worrying since they are aware of who and why created the certificate. Secure communication is then ensured for them and no warning will be displayed again because your certificate has all it needs.
Another option is to purchase a full certificate from a public certification authority (e.g. Verisign, Thawte, SecureSign, SecureNet, Microsoft Authenticode, etc.).
To import a certificate, open the certificate file (*.crt
) and the file including the corresponding private key (*.key
). These files are stored in sslcert
under the WinRoute's installation directory.
The process of certification is quite complex and requires a certain expertise. For detailed instructions contact Kerio technical support.