Setting remote administration, 2 setting remote administration – Kerio Tech KERIO WINROUTE FIREWALL 6 User Manual

Page 215

Advertising
background image

16.2 Setting Remote Administration

215

firewall’s system time. The time zone also includes information about daylight saving

time settings.

Kerio

Technologies

offers

the

following

free

NTP

servers

for

this

purpose:

0.kerio.pool.ntp.org

,

1.kerio.pool.ntp.org

,

2.kerio.pool.ntp.org

and

3.kerio.pool.ntp.org

.

16.2 Setting Remote Administration

Remote administration is connection to the firewall, its monitoring and configuration changes

with the Administration Console or with the Web Administration interface from another host

that the one on which WinRoute is installed.

If WinRoute includes only traffic rules created automatically by the wizard (see chapter

7.1

),

access to the remote administration is allowed via all trustworthy network interfaces (see

chapter

5

). This means that remote administration is available from all local hosts.

To allow or deny remote administration via the Internet (non-trusted networks), define a cor-

responding traffic rule. Traffic between WinRoute and Administration Console is performed

by TCP and UDP protocols over port 44333. The definition can be done with the predefined

service KWF Admin. the secured version of the Web Administration interface use TCP protocol,

on port 4081 by default — predefined KWF WebAdmin-SSL service.

How to allow remote administration from the Internet

In the following example we will demonstrate how to allow WinRoute remote administration

from some Internet IP addresses.

Source — group of IP addresses from which remote administration will be allowed (see

chapter

14.1

).

For security reasons it is not recommended to allow remote administration from an

arbitrary host within the Internet (this means: do not set Source as Any or as Internet)!

Destination Firewall (host where WinRoute is installed).

Service KWF Admin (connection with the Administration Console) and KWF

WebAdmin-SSL (secured version of the Web Administration interface).

It is not recommended to allow access via the unsecured version of the Web Adminis-

tration interface (theKWF WebAdmin service)! Unsecured traffic might be tapped and

misused for assaulting the firewall and local hosts behind it.

Action Permit (otherwise remote administration would be blocked)

Translation — Because the engine is running on the firewall there is no need for trans-

lation.

Figure 16.2

Traffic rule that allows remote administration

Advertising