Kerio vpn client error 161

kerio vpn client error 161

If you've stumbled upon this post, it most likely means that you're getting an odd error when rying to install Kerio Control VPN Client on a Windows 8. 2 2015 Kerio Technologies s.r.o.. 3 Contents Installing Kerio Control Product editions Installing Software Appliance edition Installing VMware Virtual Appliance. When users try to connect to VPN using a Domain directory account, they are getting authentication failure or timeout messages. Local database.

Similar video

Installing or uninstalling Kerio VPN Client - error 2738 (3 Solutions!!)

13/Nov/2013 22:24:02] {engine} WorkerThread wake-up.
[13/Nov/2013 22:24:02] {engine} VpnFSM: GetStatus().
[13/Nov/2013 22:24:02] {engine} Connect(User: xxxxx, Server xx.xx.xx.xx, id[0001]).
[13/Nov/2013 22:24:02] {engine} VpnFSM: Connect().
[13/Nov/2013 22:24:02] {vpnClient} VPNClient[0001] - connecting to xx.xx.xx.xx, username xxxx
[13/Nov/2013 22:24:02] {engine} WorkerThread signaled.
[13/Nov/2013 22:24:02] {engine} WorkerThread - sending status.
[13/Nov/2013 22:24:02] {vpnClient} VPNClient[0001] - server name resolved - xx.xx.xx.xx
[13/Nov/2013 22:24:02] {vpnClient} VPNClient[0001] - local TCP address = xx.xx.xx.xx:36920
[13/Nov/2013 22:24:02] {vpnClient} VPNClient[0001] - SSL connection successfully established
[13/Nov/2013 22:24:02] {vpnClient} VPNClient[0001] - sending VERSION message, version = 4
[13/Nov/2013 22:24:03] {vpnClient} VPNClient[0001] - received VERSION message, version = 3
[13/Nov/2013 22:24:06] {engine} VpnFSM: GetStatus().
[13/Nov/2013 22:24:06] {engine} Callback StatusChanged called from libVpn(error 161).
[13/Nov/2013 22:24:06] {engine} VpnFSM: Saving and sending status to Engine (error).
[13/Nov/2013 22:24:06] {engine} VpnFSM: GetStatus().
[13/Nov/2013 22:24:06] {engine} WorkerThread - replan reconnect in 30s.
[13/Nov/2013 22:24:06] {engine} WorkerThread signaled.
[13/Nov/2013 22:24:06] {engine} WorkerThread - sending status.
[13/Nov/2013 22:24:06] {engine} WorkerThread - wait 30s.
[13/Nov/2013 22:24:06] {engine} WorkerThread signaled.
[13/Nov/2013 22:24:06] {engine} WorkerThread - wait 30s.
[13/Nov/2013 22:24:36] {engine} WorkerThread wake-up.
[13/Nov/2013 22:24:36] {engine} VpnFSM: GetStatus().
[13/Nov/2013 22:24:36] {engine} Connect(User: Admin, Server xx.xx.xx.xx, id[0001]).
[13/Nov/2013 22:24:36] {engine} VpnFSM: Connect().
[13/Nov/2013 22:24:36] {vpnClient} VPNClient[0001] - connecting to xx.xx.xx.xx, username xxxxx
[13/Nov/2013 22:24:36] {engine} WorkerThread error-l1 exec wz_connect_memb 22:24:36] {engine} WorkerThread - sending status.
[13/Nov/2013 22:24:36] {vpnClient} VPNClient[0001] - server name resolved - xx.xx.xx.xx
[13/Nov/2013 22:24:36] {vpnClient} VPNClient[0001] - local TCP address = xx.xx.xx.xx:36934
[13/Nov/2013 22:24:36] {vpnClient} VPNClient[0001] - SSL connection successfully established
[13/Nov/2013 22:24:36] {vpnClient} VPNClient[0001] - sending VERSION message, version = 4
[13/Nov/2013 22:24:36] {vpnClient} VPNClient[0001] - received VERSION message, version = 3
[13/Nov/2013 error number 1054 {engine} VpnFSM: GetStatus().
[13/Nov/2013 22:24:39] {engine} Callback StatusChanged called from libVpn(error 161).
[13/Nov/2013 22:24:39] {engine} VpnFSM: Saving and sending status to Engine (error).
[13/Nov/2013 22:24:39] {engine} VpnFSM: GetStatus().
[13/Nov/2013 22:24:39] {engine} WorkerThread - replan reconnect in 30s.
[13/Nov/2013 22:24:39] {engine} WorkerThread signaled.
[13/Nov/2013 22:24:39] {engine} WorkerThread - sending status.
[13/Nov/2013 22:24:39] {engine} WorkerThread - wait 30s.
[13/Nov/2013 22:24:39] {engine} WorkerThread signaled.
[13/Nov/2013 22:24:39] {engine} WorkerThread - wait 30s.

Administrator's Guide - Kerio Software Archive

Kerio Control

Administrator’s Guide

Kerio Technologies


© Kerio Technologies s.r.o. All rights reserved.

This guide provides detailed description on configuration and administration of Kerio

Control, version 7.0.1. All additional modifications and updates reserved. User interfaces

Kerio StaR and Kerio Clientless SSL-VPN are focused in a standalone document, Kerio Control

— User’s Guide. The Kerio VPN Client application is described in a stand-alone document

Kerio VPN Kerio vpn client error 161 — User’s Guide.

For current version of the product, go to http://www.kerio.com/firewall/download. For other

documents addressing the product, see http://www.kerio.com/firewall/manual.

Information regarding registered trademarks and trademarks are provided in appendix A.

Products Kerio Control and Kerio VPN Client include open source software. To view the list

of open source items included, refer to attachment B.


Contents

1 Quick Checklist. . .kerio vpn client error 161. . .kerio vpn client error 161. kerio vpn client error 161. .kerio vpn client error 161. . .kerio vpn client error 161. . 8

2 Introduction. . . kerio vpn client error 161.. 10

2.1 What’s new in 7.0. .kerio vpn client error 161. . 10

2.2 Conflicting software. 11

2.3 System requirements. 13

2.4 Installation - Windows. . 13

2.5 Initial configuration wizard (Windows). 18

2.6 Upgrade and Uninstallation - Windows. . .kerio vpn client error 161. 20

2.7 Installation - Software Appliance and VMware Virtual Appliance. . 22

2.8 Upgrade - Software Appliance / VMware Virtual Appliance. .kerio vpn client error 161. . 26

2.9 Kerio Control components. . kerio vpn client error 161.. 26

2.10 Kerio Control Engine Monitor (Windows). .kerio vpn client error 161. . 27

2.11 The firewall’s console (Software Appliance / VMware Virtual Appliance). 28

3 Kerio Control administration. . 30

3.1 Kerio Control Administration web interface. . 31

3.2 Administration Console - the main window. . 32

3.3 Administration Console - view preferences. 35

4 License and Registration. . 37

4.1 License types (optional components). kerio vpn client error 161.. 38

4.2 Deciding on a number of users (licenses). .kerio vpn client error 161. . 38

4.3 License information. . 39

4.4 Registration of the product in the Administration Console .kerio vpn client error 161. . .kerio vpn client error 161. . 41

4.5 Product registration at the website. . 48

4.6 Subscription / Update Expiration. .kerio vpn client error 161. . 49

5 Network interfaces. . . 51

5.1 Groups of interfaces. . .kerio vpn client error 161. 52

5.2 Special interfaces. memory parity error.. . 52

5.3 Viewing and editing interfaces. . 53

5.4 Adding new interface (Software Appliance / VMware Virtual Appliance). 56

5.5 Advanced dial-up settings. kerio vpn client error 161.. . 56

5.6 Supportive scripts for link control (Windows). 58

3


6 Internet Connection. . 60

6.1 Persistent connection with a single link. . 61

6.2 Connection with a single leased link - dial on demand. .kerio vpn client error 161. . 64

6.3 Connection Failover. kerio vpn client error 161.. 67

6.4 Network Load Balancing. . canon e00019 error.. kerio vpn client error 161 Traffic Policy. . 77

7.1 Network Rules Wizard. . .kerio vpn client error 161. .kerio vpn client error 161. 77

7.2 How traffic rules work. . .kerio vpn client error 161. . 84

7.3 Definition of Custom Traffic Rules. .kerio vpn client error 161. 84

7.4 Basic Traffic Rule Types. . 97

7.5 Policy routing. .kerio vpn client error 161. . 103

7.6 User accounts and groups in traffic rules. .kerio vpn client error 161. 105

7.7 Partial Retirement of Protocol Inspector. .kerio vpn client error 161. . 107

7.8 Use of Full cone NAT. . an unexpected i/0 error has accerred.. . 108

7.9 Media hairpinning. 110

8 Firewall and Intrusion Prevention System. . .kerio vpn client error 161. 112

8.1 Network intrusion prevention system (IPS). . 112

8.2 MAC address filtering. . kerio vpn client error 161.. . 116

8.3 Special Security Settings. . 118

8.4 P2P Eliminator. . .kerio vpn client error 161. 120

9 Configuration of network services. . 124

9.1 DNS module. .kerio vpn client error 161. 124

9.2 DHCP server. kerio vpn client error 161.. . 131

9.3 Dynamic DNS for public IP address of the firewall. . 142

9.4 Proxy server. . .kerio vpn client error 161. . 144

9.5 HTTP cache. . kerio vpn client error 161.. . kerio vpn client error 161.. .kerio vpn client error 161. . .kerio vpn client error 161. 147

10 Bandwidth Limiter. .kerio vpn client error 161. 153

10.1 How the bandwidth limiter works and how to use it. 153

10.2 Bandwidth Limiter configuration. . 153

10.3 Detection of connections with large data volume transferred. 158

11 User Authentication. . .kerio vpn client error 161. .kerio vpn client error 161. . 160

11.1 Firewall User Authentication. . 160

12 Web Interface. . .kerio vpn client error 161. kerio vpn client error 161.. . .kerio vpn client error 161. 164

12.1 Web interface and certificate settings information. . 164

12.2 User authentication at the web interface .kerio vpn client error 161. . .kerio vpn client error 161. . 167

4


13 HTTP and FTP filtering. .kerio vpn client error 161. .kerio vpn client error 161. .kerio vpn client error 161. .kerio vpn client error 161. . 169

13.1 Conditions for HTTP and FTP filtering. . 170

13.2 URL Rules. . .kerio vpn client error 161. . .kerio vpn client error 161. 170

13.3 Content Rating System (Kerio Web Filter). . 177

13.4 Web content filtering by word occurrence. . kerio vpn client error 161.. 181

13.5 FTP Policy. . .kerio vpn client error 161. . kerio vpn client error 161.. . kerio vpn client error 161.. . 185

14 Antivirus control. . kerio vpn client error 161. 190

14.1 Conditions and limitations of antivirus scan. 190

14.2 How to choose and setup antiviruses. .kerio vpn client error 161. 191

14.3 HTTP and FTP scanning. 195

14.4 Email scanning. . .kerio vpn client error 161. . 199

14.5 Scanning of files transferred via Clientless SSL-VPN (Windows). . 202

15 Definitions. kerio vpn client error 161.. . 204

15.1 IP Address Groups. .kerio vpn client error 161. . 204

15.2 Time Ranges. .kerio vpn client error 161. .kerio vpn client error 161. . 205

15.3 Services. . 207

15.4 URL Groups. .kerio vpn client error 161. 211

16 User Accounts and Groups. . 214

16.1 Viewing and definitions of user accounts. . 215

16.2 Local user accounts. 217

16.3 Local user database: external authentication and import of accounts. 227

16.4 User accounts in Active Directory — domain mapping. . 229

16.5 User groups. . 235

17 Administrative settings. . .kerio vpn client error 161. 239

17.1 System configuration (Software Appliance / VMware Virtual Appliance). . 239

17.2 Setting Remote Administration. 240

17.3 Update Checking. . .kerio vpn client error 161. . 241

18 Other settings. . . 244

18.1 Routing table. . runtime error 62 vb6.. . 244

18.2 Universal Plug-and-Play (UPnP). 247

18.3 Relay SMTP server. . .kerio vpn client error 161. .kerio vpn client error 161. . 249

19 Status Information. .kerio vpn client error 161. 251

19.1 Active hosts and connected users. . .kerio vpn client error 161. . 251

19.2 Network connections overview. 258

19.3 List of connected VPN clients. . .kerio vpn client error 161. . 262

19.4 Alerts. . . 263

5


20 Basic statistics. . 268

20.1 Volume of transferred data and quota usage. 268

20.2 Interface statistics. . .kerio vpn client error 161. .kerio vpn client error 161. .kerio vpn client error 161. 270

21 Kerio StaR - statistics and reporting. . kerio vpn client error 161.. . 274

21.1 Monitoring and storage of statistic data. 274

21.2 Settings for statistics and quota. 276

21.3 Connection to StaR and viewing statistics. . .kerio vpn client error 161. .kerio vpn client error 161. 279

22 Logs. . .kerio vpn client error 161. 282

22.1 Log settings. .kerio vpn client error 161. 282

22.2 Logs Context Menu. kerio vpn client error 161.. . 286

22.3 Alert Log. .kerio vpn client error 161. . .kerio vpn client error 161. . 289

22.4 Config Log. . . 289

22.5 Connection Log. . kerio vpn client error 161. 291

22.6 Debug Log. .kerio vpn client error 161. . 292

22.7 Dial Log. . 294

22.8 Error Log. . 296

22.9 Filter Log. . .kerio vpn client error 161. 297

22.10 Http log. . 299

22.11 Security Log. . .kerio vpn client error 161. . t sql raiserror function.. 301

22.12 Sslvpn Log. .kerio vpn client error 161. 304

22.13 Warning Log. . 304

22.14 Web Log. . 306

23 Kerio VPN. . . 307

23.1 VPN Server Configuration. .kerio vpn client error 161. 308

23.2 Configuration of VPN clients. . 314

23.3 Interconnection of two private networks via the Internet (VPN tunnel). . 315

23.4 Exchange of routing information. .kerio vpn client error 161. 321

23.5 Example of Kerio VPN configuration: company with a filial office. 322

23.6 Example of a more complex Kerio VPN configuration. .kerio vpn client error 161. .kerio vpn client error 161. . 335

24 Kerio Clientless SSL-VPN (Windows). . 360

24.1 Kerio Control SSL-VPN configuration. .kerio vpn client error 161. 360

24.2 Usage of the SSL-VPN interface. 362

25 Specific settings and troubleshooting. 363

25.1 Configuration Backup and Transfer. 363

25.2 Configuration files. . .kerio vpn client error 161. . .kerio vpn client error 161. 364

25.3 Automatic user authentication using NTLM. 365

25.4 FTP over Kerio Control proxy server. . hdd self test error read failure hp.. .kerio vpn client error 161. . authentication server error rosh online.. . 369

25.5 Internet links dialed on demand. . .kerio vpn client error 161. . kerio vpn client error 161.. 371

6


26 Technical support. . kerio vpn client error 161.kerio vpn client error 161. . .kerio vpn client error 161. .kerio vpn client error 161. . 376

26.1 Essential Information. .kerio vpn client error 161. . 376

26.2 Tested in Beta version. . .kerio vpn client error 161. 377

A Legal Notices. . kerio vpn client error 161.. . 378

B Used open source itemskerio vpn client error 161. 379

Glossary of terms. . . 383

Index. . kerio vpn client error 161.. . . 390

7


Chapter 1

Quick Checklist

In this chapter you can find a brief guide for a quick setup of Kerio Control. After this setup

the firewall should be immediately available and able to share your Internet connection and

protect your local network. For a detailed guide refer to the separate Kerio Control — Step-by-

Step Configuration guide.

If you are unsure about any element of Kerio Control, simply look up an appropriate chapter in

the manual. For information about your Internet connection (such as your IP address, default

gateway, DNS server, etc.) contact your ISP.

Note: In this guide, the expression firewall represents the host where Kerio Control is (or will

be) installed.

1. The firewall needs at least one interface connected to the local network (e.g. an Ethernet

or WiFi network adapter). For Internet connection, another network adapter, USB ADSL

modem, PPPoE, dial up or another facility is needed.

On Windows, test functionality of the Internet connection and of traffic among hosts within

the local network before you run the Kerio control installation. This test will reduce

possible problems with debugging and error detections.

2. Run Kerio Control installation and in the wizard provide required basic parameters (for

details, see chapter 2.4 or 2.7).

3. Use Kerio Administration Console to connect to the firewall (see chapter 3).

4. Set interface groups and basic traffic rules using the Network Rules Wizard (see

chapter 7.1).

5. Run the Kerio vpn client error 161 server and set required IP ranges including their parameters (subnet mask,

default gateway, DNS server address/domain name). For details, see chapter 9.2.

TIP: DHCP server can be configured automatically in accordance with LAN interface

parameters. Automatic configuration of DHCP server can now be enabled only in the

Kerio Control Administration web interface (see chapter 3.1).

6. Check DNS module settings. Define the local DNS domain if you intend to use the hosts

file and/or the DHCP server table. For details, see chapter 9.1.

7. Set user mapping from the Active Directory domain or create/import local user accounts

and groups. Set user access rights. For details see chapter 16.

8


8. Enable the intrusion prevention system (see chapter 8.1).

9. Select an antivirus and define types of objects that will be scanned.

If you choose the integrated Sophos antivirus application, check automatic update settings

and edit them if necessary.

External antivirus must be installed before it is set in Kerio Control, otherwise it is not

available in the combo box.

10. Define IP groups (chapter 15.1), time ranges (chapter 15.2) and URL groups (chapter 15.4),

that will be used during rules definition (refer to chapter 15.2).

11. Create URL rules (chapter 13.2). Set Kerio Web Filter (chapter 13.3) and automatic

configuration of web browsers (chapter 9.5).

12. Define FTP rules (chapter 13.5).

13. Using one of the following methods set TCP/IP parameters for the network adapter of

individual LAN clients:

• Automatic configuration — enable automatic DHCP configuration kerio vpn client error 161 by default

on most operating systems). Do not set any other parameters.

• Manual configuration — define IP address, subnet mask, default gateway address,

DNS server address and local domain name.

Use one of the following methods to set the Web browser at each workstation:

• Automatic configuration — activate the Automatically detect settings option (Internet

Explorer) or specify URL for automatic configuration (other types of browsers).

For details, refer to chapter 9.5.

• Manual configuration — select type of connection via the local network or define

IP address and appropriate proxy server port (see chapter 9.4).

9


Chapter 2

Introduction

2.1 What’s new in 7.0

Kerio Control 7.0 brings the following improvements:

New product name — Kerio Control

Kerio WinRoute Firewall is no longer just a network firewall. New features added in

versions 6.x and 7.0 make the software a complex tool combining features for local

network security, kerio vpn client error 161 network access as well as user Internet access control and

monitoring. The name Kerio Control is derived from the user access control feature.

Intrusion Detection and Prevention System (IPS/IDS)

Kerio Control now integrates one of the most top used intrusion detection and prevention

systems — Snort. This system enhances security provided by the firewall and makes Kerio

Control a UTM solution (Unified Threat Management).

More details can be found in chapter 8.1.

New integrated antivirus engine — Sophos

Kerio Control includes an all-new antivirus engine — Sophos. This scan engine offers

extreme performance and includes a variety of innovative technologies designed to

eliminate the threat of malware.

The antivirus will run as a 30 day trial upon initial installation. When upgrading, the

McAfee engine will automatically be replaced by the new Sophos engine.

More details can be found in chapter 14.

MAC address filtering

This new module in the firewall enables network traffic filtering by physical addresses

(MAC addresses) of network devices. Filtering of physical address helps for example

prevent users from undesirable connections to the network or kerio vpn client error 161 around the firewall

traffic policy by changing IP kerio vpn client error 161 of their device.

More details can be found in chapter 8.2.

New licensing policy

Licensing policy for Kerio Control has been changed.

licenses for customized number of users.

Refer to chapter 4 for more information.

Now it is possible to purchase

10


2.2 Conflicting software

Warning:

Since 6.x, some configuration parameters have been changed in version for 7.0.0. Although

updates are still performed automatically and seamlessly, it is necessary to mind these tiny

changes. Detailed information:

• Edition for Windows — see chapter 2.6,

• Edition for Software Appliance / VMware Virtual Appliance — see chapter 2.8.

After update, it is recommended to check Warning log carefully (see chapter 22.13).

2.2 Conflicting software

Kerio Control can be run with most of common applications. However, there are certain

applications that should not be run at the same host as WinRoute for this could result in

collisions.

The computer where Kerio Control is installed (the host) can be also used as a workstation.

However, it is not recommended — user interaction may affect performance of the operating

system which affects Kerio Control performance badly.

Collision of low-level drivers

Kerio Control collides with system services and applications the low-level drivers of

whose use a similar or an identical technology. The security log contains the following

types of services and applications:

• The Internet Connection Firewall / Internet Connection Sharing system service.

Kerio Control can detect and automatically disable this service.

• The system service Routing and Remote Access Service kerio vpn client error 161 in Windows Server

operating systems. This service allows also sharing of Internet connection (NAT).

Kerio Control can detect if NAT is active in the RRAS service; if it is, a warning

is displayed. In reaction to the alert message, the server administrator should

disable NAT in the RRAS configuration.

If NAT is not active, collisions should be avoided and Kerio Control can be used

hand in hand with the RRAS service.

• Network firewalls — e.g. Microsoft ISA Server.

• Personal firewalls, such as Sunbelt Personal Firewall, Zone Alarm, Norton Personal

Firewall, etc.

Software designed to create virtual private networks (VPN) — i.e. software

applications developed by the following companies: CheckPoint, Cisco Systems,

Nortel, etc. There are many applications of this type and their features vary from

vendor to vendor.

Under proper circumstances, use of the VPN solution included in Kerio Control

is recommended (for details see chapter 23). Otherwise, we recommend you to

11


Introduction

test a particular VPN server or VPN client with Kerio Control trial version or to

contact our technical support (see chapter 26).

Note: VPN implementation included in Windows operating system (based on the

PPTP protocol) is supported by Kerio Control.

Port collision

Applications that use the same ports as the firewall cannot be run at the Kerio Control

host (or the configuration of the ports must be modified).

If all services are running, Kerio Control uses the following ports:

• 53/UDP kerio vpn client error 161 DNS module,

• 67/UDP — DHCP server,

• 1900/UDP — the SSDP Discovery service,

• 2869/TCP — the UPnP Host service.

The SSDP Discovery and UPnP Host services are included in the UPnP support

(refer to chapter 18.2).

• 4080/TCP — non-secured firewall’s web interface (see chapter 12). This service

cannot be disabled.

• 4081/TCP — secured (SSL-encrypted) version of the firewall’s web interface (see

chapter 12). This service cannot be disabled.

• 44333/TCP+UDP — traffic between Kerio Administration Kerio vpn client error 161 and the Kerio

Control Engine. This service cannot be disabled.

The following services use corresponding ports by default. Ports for these services can

be changed.

• 443/TCP — server of the SSL-VPN interface (only in Kerio Control on Windows

— see chapter 24),

• 3128/TCP kerio vpn client error 161 HTTP proxy server (see chapter 9.4),

• 4090/TCP+UDP — proprietary VPN server (for details refer to chapter 23).

Antivirus applications

Most of the modern desktop antivirus programs (antivirus applications designed to

protect desktop workstations) scans also network traffic — typically HTTP, FTP and email

protocols. Kerio Control also provides with this feature which may cause collisions.

Therefore it is recommended to install a server brutal begude islam terrorists of your antivirus program on

the Kerio Control host. The server version of the antivirus can also be used to scan Kerio

Control’s network traffic or as an additional check to the integrated antivirus Sophos (for

details, see chapter 14).

If the antivirus program includes so called realtime file protection (automatic scan of all

read and written files), it is necessary to exclude directories cache (HTTP cache in Kerio

Control see chapter 9.5) and tmp (used for antivirus check). If Kerio Control uses an

antivirus to check objects downloaded via HTTP or FTP protocols (see chapter 14.3), the

cache directory can be excluded with no risk — files in this directory have already been

checked by the antivirus.

The Sophos integrated antivirus plug-in does not interact with antivirus application

installed on the Kerio Control host (provided that all the conditions described above are

12


2.3 System requirements

met).

2.3 System requirements

The minimum hardware configuration recommended for Kerio Control:

• CPU 1 GHz,

• 1 GB RAM,

• At least one network interface.

For Windows:

• 100 MB free disk space for installation of Kerio Control.

• Free disk space for statistics (see chapter 21), HTTP cache (see chapter 9.5) and logs

(in accordance with their frequency and logging level settings — see chapter 22).

For security reasons, all this data is saved in the application’s installation directory

subfolders. It is not possible to use another partition or disk.

• to keep the installed product (especially its configuration files) as secure as possible,

it is recommended to use the NTFS file system.

For Kerio Control Software Appliance:

• Minimum 3 GB hard disk.

• No operating system is required to be installed on the computer. Any existing

operating system will be removed from the computer.

For Kerio Control VMware Virtual Appliance:

• VMware Player, VMware Workstation or VMware Server.

• 3 GB free disk space.

The following web browsers can be used to access Kerio Control web services (Kerio Control

Administration — see chapter 3, Kerio StaR — see chapter 21 and Kerio SSL-VPN — see

chapter 24):

• Internet Explorer 7 or higher,

• Firefox 3 or higher,

• Safari 3 or higher.

2.4 Installation - Windows

Installation packages

Kerio Control is distributed in two editions: one is for 32-bit systems and the other for 64-bit

systems (see the product’s download page: http://www.kerio.com/firewall/download).

13


Introduction

The 32-bit edition (the “win32” installation package) supports the following operating systems:

• Windows 2000,

• Windows XP (32 bit),

• Windows Server 2003 (32 bit),

• Windows Vista (32 bit),

• Windows Server 2008 (32 bit),

• Windows 7 (32 bit).

The 64-bit edition (the “win64” installation package) supports the following operating systems:

• Windows XP (64 bit),

• Windows Server 2003 (64 bit),

• Windows Vista (64 bit),

• Windows Server 2008 (64 bit),

• Windows 7 (64 bit).

Older versions of Windows operating systems are not supported.

Note:

1. Kerio Control installation packages include the Kerio Administration Console. The separate

Kerio Administration Console installation package (file kerio-control-admin*.exe) is

designed for full remote administration from another host. This package is identical both

for 32-bit and 64-bit Windows systems. For details on Kerio Control administration, kerio vpn client error 161 3.

2. For correct functionality of the Kerio StaR interface (see chapter 21), it is necessary that

the Kerio Control host’s operating system supports all languages that would be used in

the Kerio StaR interface. Some languages (Chinese, Japanese, etc.) may require installation

of supportive files. For details, refer to documents regarding the corresponding operating

system.

Steps to be taken before the installation

Install Kerio Control on a computer which is used as a gateway connecting the local network

and the Internet. This computer must include at least one interface connected to the local

network (Ethernet, WiFi, etc.) and at least one interface connected to the Internet. You can use

either a network adapter (Ethernet, WiFi, etc.) or a modem (analog, ISDN, etc.) as an Internet

interface.

We recommend you to check through the following items before you run Kerio Control

installation:

• Time of the operating system should be set correctly error reading pds vars 2 timely operating system ahci port0 device error xnj ltkfnm upgrades, etc.),

• The latest service packs and any security updates should be applied,

14


2.4 Installation - Windows

• TCP/IP parameters should be set for all available network adapters,

• All network connections (both to the local error http/1.1 500 service error vlc and to the Internet) should function

properly. You can use for example the ping command to detect time that is needed

for connections.

These checks and pre-installation tests may protect you from later problems and

complications.

Note: Basic installation of all supported operating systems include all components required

for smooth functionality of Kerio Control.

Installation and Basic Configuration Guide

Once the installation program is launched (i.e. kerio vpn client error 161 kerio-control-7.0.0-1000-win32.exe),

it is possible to select a language for the installation wizard. Language selection affects only

the installation, language of the user interface can then be set separately for individual Kerio

Control components.

In the installation wizard, you can choose either Full or Custom installation. Custom mode

will let you select optional components of the program:

Figure 2.1

Installation — customization by selecting optional components

15


Introduction

Kerio Control Engine — core of the application.

• VPN Support — proprietary VPN solution developed by Kerio Technologies (Kerio VPN ).

• Administration Console — the Kerio Administration Console application kerio vpn client error 161 for all server applications of Kerio Technologies) including Kerio Control

administration tools.

• Help files — this manual in the HTML Help format. For help files details, see Kerio

Administration Console — Help (available at http://www.kerio.com/firewall/manual).

Go to chapter 2.9 for a detailed description of all Kerio Control components.

description on the proprietary VPN solution, refer to chapter 23.

For detailed

Having completed this step, you can start the installation process. All files will be copied to the

hard disk and all kerio vpn client error 161 necessary system settings will be performed. The initial wizard for basic

Kerio Control configuration will be run automatically after your first login (see chapter 2.5).

Under usual circumstances, reboot of the computer is not required after the installation

(restart may kerio vpn client error 161 required if the installation program rewrites shared files which are currently

in use). This will install the Kerio Control Engine low-level driver into the system kernel. Kerio

Control Engine and Kerio Control Engine Monitor will be automatically launched when kerio vpn client error 161 is complete. The engine runs as a service.

Note:

1. If you selected kerio vpn client error 161 Custom installation mode, the behavior of the installation program 10022 error code as follows:

• all checked components will be installed or updated,

• all checked components will not be installed or will be removed

During an update, all components that are intended to remain must be ticked.

2. The installation program does not allow to install the Administration Console separately.

Installation of the Administration Console for the full remote administration requires

a separate installation package (file kerio-control-admin*.exe).

Protection of the installed product

To provide the firewall with the highest security possible, it is necessary to ensure that

undesirable (unauthorized) persons has no access to the critical files of the application,

especially to configuration files. If the NTFS system is used, Kerio Control refreshes settings

related to access rights to the directory (including all subdirectories) where the firewall is

installed upon each startup. Only members of the Administrators group and local system

account (SYSTEM) are assigned the full access (read/write rights), other users are not allowed

access the directory.

16


2.4 Installation - Windows

Warning:

If the FAT32 file system is used, it is not possible to protect Kerio Control in the above way.

Thus, we strongly recommend to install Kerio Control only on NTFS disks.

Conflicting Applications and System Services

The Kerio Control installation program detects applications and system services that might

conflict with the Kerio Control Engine.

1. Windows Firewall’s system components 1 and Internet Connection Sharing.

These components provide the same low-level functions as Kerio Control. If they are

running concurrently with Kerio Control, the network communication would not be

functioning correctly and Kerio Control might be unstable. Both components are run by

the Windows Firewall / Internet Connection Sharing system service. 2 .

Warning:

To provide proper functionality of Kerio Control, it is necessary that the Internet

Connection Firewall / Internet Connection Sharing detection is stopped and

forbidden!

2. Universal Plug and Play Device Host and SSDP Discovery Service

The listed services support UPnP protocol (Universal Plug and Play) on Windows. However,

these services collide with the UPnP support in Kerio Control (refer to chapter 18.2).

The Kerio Control installation includes a dialog where it is possible to disable colliding system

services.

By default, the Kerio Control installation disables all the colliding services listed. Under usual

circumstances, it is not necessary to change these settings. Generally, the following rules are

applied:

• The Windows Assembler error a2006 / Internet Connection Sharing (ICS) service should be disabled.

Otherwise, Kerio Control will not work correctly. The option is a certain kind of

warning which informs users that the service is running and that it ghost recon online error be disabled.

• To enable support for the UPnP protocol in Kerio Control (see chapter 18.2), it is

necessary to disable also services UPnP Device Host and SSDP Discovery Service.

• It is not necessary to disable the services unless you need to use the UPnP in Kerio

Control.

1 In Windows XP Service Pack 1 and older versions, the integrated firewall is called Internet Connection Firewall.

2 In the older Windows versions listed above, the service is called Internet Connection Firewall / Internet Connection

Sharing.

17


Introduction

Figure 2.2

Disabling colliding system services during installation

Note:

1. Upon each startup, Kerio Control detects automatically whether the Windows Firewall /

Internet Connection Sharing is running. If it is, WinRoute stops it and makes a record in

the Warning log. This helps assure that the service will be enabled/started immediately

after the Kerio Control installation.

2. On Windows XP Service Pack 2, Windows Server 2003, Windows Vista, Windows Server 2008

and Windows 7, Kerio Control registers in the Security Center automatically. This implies

that the Security Center always indicates firewall status correctly and it does not display

warnings informing that the system is not protected.

2.5 Kerio vpn client error 161 configuration wizard (Windows)

Using this wizard you can define all basic Kerio Control parameters. It is started automatically

by the installation program for Windows.

Setting of administration username and password

Definition of the administration password is essential for the security of the firewall. Do not

use the standard (blank) password, otherwise unauthorized users may be able to access the

Kerio Control configuration.

18


2.5 Initial configuration wizard (Windows)

Figure 2.3

Initial configuration — Setting of administration username and password

Password and its confirmation must be entered in the dialog for account settings. Name Admin

can be changed in the Username edit box.

Note: If the installation is running as an upgrade, this step is skipped since the administrator

account already exists.

Remote Access

Immediately after the first Kerio Control Engine startup all network traffic will be blocked

(desirable traffic must be permitted by traffic rules — see chapter 7). If Kerio Control is

installed remotely (i.e. using terminal access), communication with the remote client will be

also interrupted immediately (Kerio Control must be configured locally).

Within Step 2 of the configuration wizard, specify the IP address of the host from which the

firewall will be controlled remotely to enable kerio vpn client error 161 installation and administration (provided

that the Kerio Control Engine is started). Thus Kerio Control will enable all traffic between the

firewall and the remote host.

Note: Skip this step if you install Kerio Control locally. Allowing full access from a point might

endanger security.

Enable remote access

This option enables full access to the Kerio Control computer from a selected IP address

Remote IP address

IP address of the computer from where you will be connecting (e.g. terminal services

client). This field must contain an IP address. A domain name is not allowed.

19


Introduction

Figure 2.4

Initial configuration — Allowing remote administration

Warning:

The remote access rule is disabled automatically when Kerio Control is configured using the

network policy wizard (see chapter 7.1).

2.6 Upgrade and Uninstallation - Windows

Upgrade

Simply run the installation of a new version to upgrade WinRoute (i.e. to get a new release

from the Kerio Web pages — http://www.kerio.com/).

All windows of the Kerio Administration Console must be closed before the (un)installation is

started. Components Kerio Control Engine and Kerio Control Engine Monitor will be stopped

and closed automatically by the installation program.

The installation program detects the directory with the former version and kerio vpn client error 161 it by

replacing appropriate files with the new ones automatically. License, all logs and user defined

settings are kept safely.

Note: This procedure applies to upgrades between versions of the same series (e.g. from 7.0.0

to 7.0.1) or from a version of the kerio vpn client error 161 series to a version of the subsequent series (e.g.

from Kerio WinRoute Firewall 6.7.1 to Kerio Control 7.0.0). For case of upgrades from an older

series version (e.g. 6.6.1), full compatibility of the configuration cannot be guaranteed and it

is recommended to upgrade “step by step” (e.g. 6.6.1 → 6.7.1 → 7.0.0) or to uninstall the old

version along with all files and then install the new version “from scratch”.

20


2.6 Upgrade and Uninstallation - Windows

Warning:

Since 6.x, some configuration parameters have been changed in version for 7.0.0. Although

updates are still performed automatically and seamlessly, it is necessary to mind the

changes described above that take effect immediately upon installation of the new version.

The following parameters are affected:

• HTTP cache directory — newly, the firewall installation directory’s cache subfolder

is always used, typically

C:\Program Files\Kerio\WinRoute Firewall\cache.

In case that the HTTP cache is located in a different directory, it can be moved

(provided that the Kerio Control Engine service is not running). However, such

measure can be rather disserviceable as the product update actually empties the

cache which may often increase its effectivity.

For details on HTTP cache, see chapter 9.5.

• Supportive scripts for dial-up control — these scripts must always be saved in the

firewall installation directory’s scripts subfolder, typically

C:\Program Files\Kerio\WinRoute Firewall\scripts

and they all need fixed names.

If these scripts were used int he previous version of the product, it is necessary to

move them to the directory with correct names used.

For details on dial-up configuration, see chapter 6.2.

• Log file names — fixed log file names are set now (alert.log, config.log,

debug.log, etc.).

The same path used for saving log files is kept — logs are save under the logs

subdirectory under the firewall installation directory, typically

C:\Program Files\Kerio\WinRoute Firewall\logs

If log file names has been changed, the original files are kept and new logs are

recorded in files with corresponding names.

• Log type (Facility) and its Severity for external logging on the Syslog server — fixed

facility and severity values of individual logs of Kerio Control are now set. This is

a fact cameron asht-250 error bear in mind while viewing firewall logs on the Syslog server.

For details on log settings, see chapter 22.1.

After update, it is recommended to check Warning log carefully (see chapter 22.13).

Update Checker

Kerio Control enables automatic checks for new versions of the product at the Kerio Technologies

website. Whenever a new version is detected, its download and installation will be offered

automatically.

21


Introduction

For details, refer to chapter 17.3.

Uninstallation

Before uninstalling the product, it is recommended to close all Kerio Control components. The

Add/Remove Programs option in the Control Panel launches the uninstallation process. All

files under the Kerio Control directory can be optionally deleted.

(the typical path is C:\Program Files\Kerio\WinRoute Firewall)

— configuration files, SSL certificates, license key, logs, etc.

Figure 2.5

Uninstallation — asking syntax error, unexpected t_variable whether files created in Kerio Control should be deleted

Keeping these files kerio vpn client error 161 be helpful for copying of the configuration to another host or if it is

not sure whether the SSL certificates were issued by a trustworthy certification authority.

During uninstallation, the Kerio Control installation program automatically refreshes the

original status of the Windows Firewall / Internet Connection Sharing, Universal Plug and Play

Device Host) and SSDP Discovery Service system services.

2.7 Installation - Software Appliance and VMware Virtual Appliance

Kerio Control in the software appliance edition is distributed:

• as an ISO of the installation CD which is used to install the system and then install the

firewall either on a physical or virtual computer (Software Appliance),

• as a virtual appliance for VMware (VMware Virtual Appliance).

Standalone Kerio Control installation package for installation on previously installed Linux is

not available.

22


2.7 Installation - Software Appliance and VMware Virtual Appliance

Software Appliance / VMware Virtual Appliance installation process consists of the following

simple steps:

Start of the installation

Software Appliance

ISO image of the installation CD can be burned on a physical CD and then the CD can

be used for installation of the system on the target computer (either physical or virtual).

In case of virtual computers, the ISO image can be also connected as a virtual CD ROM,

without the need to burn the installation ISO file on a CD.

Note: Kerio Control Software Appliance cannot be installed on a computer with another

operating system. Existing operating kerio vpn client error 161 on the target disk will be removed within

the installation.

VMware Virtual Appliance

Supported VMware hypervisor versions:

• Workstation 6.5 and 7.0

• Server 2.0

• Fusion 2.0 and 3.0

• Player 2.5 and 3.0

• ESX 3.5 and 4.0

• ESXi 3.5 and 4.0

Use an installation package in accordance with the type of your VMware product (see

above):

• In case of products VMware Server, Workstation and Fusion, download the

compressed VMX distribution file (*.zip), unpack it and open it in the your

VMware product.

• You can import a virtual appliance directly to VMware ESX/ESXi from the URL of

the OVF file — for example:

http://download.kerio.com/dwn/control/

kerio-control-appliance-7.0.0-1234-linux.ovf

VMware ESX/ESXi automatically downloads the OVF configuration file and

a corresponding disk image (.vmdk).

If you import virtual appliance in the OVF format, bear in mind the following specifics:

• In the imported virtual appliance, time synchronization between the host and

the virtual appliance is disabled. However, Kerio Control features a proprietary

mechanism for synchronization of time with public Internet time servers.

Therefore, it is not necessary to enable synchronization with the host.

• Tasks for shutdown or restart of the virtual machine will be set to default values

after the import. These values can be set to “hard” shutdown or “hard” reset.

However, this may cause loss of data on the virtual appliance. Kerio Control

VMware Virtual Appliance supports so called Soft Power Operations which

23


Introduction

allow to shutdown or restart hosted operating system properly. Therefore, it is

recommended to set shutdown or restart of the hosted operating system as the

value.

The following steps are identical both for Software Appliance and Virtual Appliance.

Language selection

The selected language will be used both for Kerio Control installation and for the firewall’s

console (see chapter 2.11).

Selection of target hard disk

If the installation program detects more hard disks in the computer, then it is necessary to

select a disk for Kerio Control installation. Content of the selected disk will be completely

removed before Kerio Control installation, while other disk are not affected by the installation.

If there is an only hard disk detected on the computer, the installer continues with the

following step automatically. If no hard disk is found, the installation is closed. Such error is

often caused by an unsupported hard disk type or hardware defect.

Selection of network interface for the local network and access to administration

The installer lists all detected network interfaces of the firewall. Select an interface which is

connected to the local (trustworthy) network which the firewall will be remotely administered

from.

In the field, a computer may have multiple interfaces of the same type and it is therefore not

easy to recognize which interface is connected to the local network and which to the Internet.

To a certain extent, hardware addresses of the adapters can be a clue or you can experiment

— select an interface, complete the installation and try to connect to the administration. If the

connection fails, use option Network Configuration in the main menu of the firewall’s console

to change the settings (see chapter 2.11).

There can also arise another issue — that the program kerio vpn client error 161 not detect some or any network

adapters. In such case, it is recommended to use another type of the physical or virtual (if the

virtual computer allows this) adapter or install Kerio Control Software Appliance on another

type of virtual machine. If such issue arises, it is highly recommended to consult the problem

with the Kerio Technologies technical support (see chapter 26).

Provided that no network adapter can be detected, it is not possible to continue installing

Kerio Control.

24


2.7 Installation - Software Appliance and VMware Virtual Appliance

Setting of the local interface’s IP address

It is now necessary to define IP address and subnet mask for the selected local network

interface. These parameters can be defined automatically by using information from a DHCP

server or manually.

For the following reasons, it is recommended to set local interface parameters manually:

• Automatically assigned IP address can change which may cause problems with

connection to the firewall administration (although the IP address kerio vpn client error 161 be reserved

on the DHCP server, this may bring other problems).

• In most cases Kerio Control will be probably used itself as a DHCP server for local

hosts (workstations).

Admin password

The installation requires specification of the password for the account Admin (the account of

the main administrator of the firewall). Username Admin with this password are then used for

access:

• to the firewall’s console (see chapter 2.11),

• to the remote administration of the firewall via the web administration interface (see

chapter 3),

• to the remote administration of the firewall via the Kerio Administration Console (see

chapter 3).

Remember this password or save it in a secured location and keep it from anyone else!

Time zone, date and time settings

Many Kerio Control features (user authentication, logs, statistics, etc.) require correct setting

of date, time and time zone on the firewall. Select your time zone and in the next page check

(and change, if necessary) date and time settings.

Completing the installation

Once all these parameters are set, the Kerio Control Engine service (daemon) is started.

While the firewall is running, the firewall’s console will display information about

remote administration options and change of some basic configuration parameters — see

chapter 2.11.

25


Introduction

2.8 Upgrade - Software Appliance / VMware Virtual Appliance

Kerio Control can be upgraded by kerio vpn client error 161 following two methods:

• by starting the system from the installation CD (or a mounted ISO) of the new version.

The installation process is identical with the process of a new installation with an the

only exception kerio vpn client error 161 at the start the installer asks you whether to execute an upgrade

(any existing data will be kept) or a new installation (all configuration files, statistics,

logs, etc will be removed). For details, see chapter 2.7.

• by the Kerio Administration Console update checker. For details, refer to chapter 17.3

Warning:

Since 6.7.1, some configuration parameters have been changed for version 7.0.0. Although

updates are still performed automatically and seamlessly, it is necessary to mind the

changes described above that take effect immediately upon installation of the new version.

The following parameters are affected:

• Log file names — fixed log file names are set now (alert.log, config.log,

debug.log, etc.).

The path for saving the log files is kept unchanged — logs are saved under

/opt/kerio/winroute/logs

If log file names has been changed, the original files are kept and new logs are

recorded in files with corresponding names.

• Log type (Facility) and its Severity for external logging on the Syslog server — fixed

facility and severity values of individual logs of Kerio Control are now set. This is

a fact to bear in mind while viewing firewall logs on the Syslog server.

For details on log settings, see chapter 22.1.

After update, it is recommended to check Warning log carefully (see chapter 22.13).

2.9 Kerio Control components

Kerio Control consists of these components:

Kerio Control Engine

The core of the program that executes all services and functions. It is running as a service

in the operating system fix secondary master hard disk error service is called Kerio Control and it is run automatically

within the system account by default).

Kerio Control Engine Monitor (Windows only)

Allows viewing and modification of the Engine’s status (stopped / running) and setting

of start-up preferences (i.e. whether Engine and Monitor should be run automatically at

system start-up). It also provides easy access to the Administration Console. For details,

refer to chapter 2.10.

26


2.10 Kerio Control Engine Monitor (Windows)

Note: Kerio Control Engine is independent from the Kerio Control Engine Monitor. The

Engine can be running even if there is no icon in the system tray.

Kerio Administration Console (Windows only)

It is a versatile console for full local or remote administration of Kerio Technologies

server products. For successful connection to an application you need a plug-in with

an appropriate interface.

Kerio Administration Console is installed on Windows hand-in-hand with the appropriate

module during the installation of Kerio Control. The separate installation package Kerio

Administration Console for Kerio Control is available for remote administration from

another host. The Kerio Administration Console is available for Windows only, but it can

be used for administration of both Kerio Control installed on Windows and Kerio Control

Software Appliance / VMware Virtual Appliance.

Detailed guidance for Kerio Administration Console is provided in Kerio Administration

Console — Help (http://www.kerio.com/firewall/manual).

The firewall’s console (Software Appliance / VMware Virtual Appliance only)

The firewall’s console is a simple interface permanently running on the Kerio Control

host. It allows to set basic parameters of the operating system and the firewall for cases

when it is not possible to administer it remotely via the Administration web interface or

the Kerio Administration Console.

2.10 Kerio Control Engine Monitor (Windows)

Kerio Control Engine Monitor is a standalone utility used to control and monitor the Kerio

Control Engine status. The icon of this component is displayed on the toolbar.

Figure 2.6

Kerio Control Engine Monitor icon in the Notification Area

If Kerio Control Engine is stopped, a white crossed red spot appears on the icon. Starting or

stopping the service can take several seconds. For this time the icon gets grey and is inactive.

On Windows, left double-clicking on this icon runs the Kerio Administration Console (described

later), kerio vpn client error 161. Use the right mouse button to open the following menu:

Start-up Preferences

With these options Kerio Control Engine and/or Engine Monitor applications can be set

to be launched automatically when the operating system is started. Both options are

enabled by default.

Administration

Runs Kerio Administration Console (equal to double-clicking on the Engine Monitor icon).

27


Introduction

Figure 2.7

Kerio Control Engine Monitor menu

Internet Usage Statistics

Opens Internet Usage Statistics in the default browser. For details, see chapter 21.

Start/Stop Kerio Control

Switches between the Start and Stop modes. The text displays the current mode status.

Exit Engine Monitor

An option to exit Engine Monitor. This option does not stop the Kerio Control Engine. The

user is informed about this fact by a warning window.

Note:

1. If a limited version of Kerio Control is used (e.g. trial version), a notification is displayed

7 days before its expiration. This information is displayed until the expiration.

2. Kerio Control Engine Monitor is available in English only.

2.11 The firewall’s console (Software Appliance / VMware Virtual Appliance)

On the console of the computer where Kerio Control Software Appliance / VMware Virtual Appliance

is running, information about the firewall remote administration options is displayed.

Upon authenticating by the administration password (see above), this console allows kerio vpn client error 161 change

some basic settings, restore default settings after installation and shut down or restart the

computer.

By default, the console shows only information about URL or IP address which can be used

for firewall administration via the firewall’s web administration interface or the Kerio Administration

Console. To access configuration options, authentication with the Admin password is

required (Admin is the main firewall administrator’s account). If idle for some time, the user

gets logged out automatically and the welcome page of the console showing details on the

firewall’s remote administration is displayed again.

The firewall’s console provides the following configuration options:

Network interface configurations

This option allows to show or/and edit parameters of individual network interfaces of the

firewall. Each interface allows definition of automatic configuration via DHCP or manual

configuration of IP address, subnet mask and default gateway.

28


2.11 The firewall’s console (Software Appliance / VMware Virtual Appliance)

Note: No default gateway should be set on interfaces connected to the local network,

otherwise this firewall cannot be used as agateway for the Internet access.

Remote administration policy settings

When you change the firewall’s traffic policy (see chapter 7) via the web administration

interface or the Kerio Administration Console, you may happen to block access to the

remote administration accidentally.

If you are sure that the firewall’s network interfaces are configured correctly and despite

of that it is not possible to access the remote administration, you can use the Remote

Administration option to change the traffic policy so that the rules do not block remote

administration on any interface.

Upon saving changes in traffic rules, the Kerio Control Engine service will be restarted

automatically.

I the field, unblocking of the remote administration means that a rule will be added to the

top of the traffic policy table that would allow access Control Admin (connection with the

Kerio Administration Console), Kerio Control WebAdmin and Kerio Control WebAdmin-SSL

(secured web interface of the firewall) services from any computer.

Shutting down / restarting the firewall

If you need to shut your computer down or reboot it, these options provide secure closure

of the Kerio Control Engine and shutdown of the firewall’s operating system.

Restoring default configuration

This option restores the default firewall settings as installed from the installation CD

or upon the first startup of the VMware virtual host. All configuration files and data

(logs, statistics, etc.) will be removed and it will then be necessary to execute the initial

configuration of the firewall again as if a new installation (see chapter 2.7).

Restoring the default configuration can be helpful if kerio vpn client error 161 firewall’s configuration is

accidentally damaged that much that it cannot be corrected by any other means.

29


Chapter 3

Kerio Control administration

For Kerio Control configuration, two tools kerio vpn client error 161 available:

Kerio Control Administration web interface

The Administration interface allows both remote and local administration of the firewall

via a common web browser. In the current version of Kerio Control, the Administration

interface jmb36x raid configurer error loading bitmap configuration of the most of basic options and parameters of the firewall:

• network adapters,

• traffic rules — manual configuration only; the Traffic Policy Wizard (see

chapter 7.1) is not available,

• intrusion prevention system,

• MAC address filtering,

• additional security options (Anti-Spoofing, connections count limits, UPnP

support)

• DHCP server (including automatic configuration),

• HTTP and FTP filtering rules,

• user accounts, groups, user authentication and domain mapping,

• IP groups, URL groups, time ranges and network services,

• logs.

On the other hand, some of the recently added features are available only in the web

interface:

• exporting and importing configuration,

• automatic configuration of IP scopes on the DHCP server.

Kerio Administration Console

Kerio Administration Console (referred to as the Administration Console in this document)

is an application used for administration of all Kerio Technologies’ server products. All

Kerio Control parameters can be configured here.

Using this program you can access the firewall either locally (from the Kerio Control

host) or remotely (from another host). Traffic between Administration Console and Kerio

Control Engine is encrypted. This protects you from tapping and misuse.

Kerio Administration Console is installed on Windows hand-in-hand with it during the

installation of Kerio Control.

The separate kerio vpn client error 161 package Kerio Administration Console for Kerio Control is

available for remote administration from another host. The Kerio Administration Console

is available for Windows only, but it can be used for administration of both Kerio Control

installed on Windows and Kerio Control Software Appliance / VMware Virtual Appliance.

30


3.1 Kerio Control Administration web interface

Detailed guidelines for the Administration Console are provided under Kerio Administration

Console — Help (to view these guidelines, use option Help → Contents

in the main Administration Console window, or you can download it from

http://www.kerio.com/firewall/manual).

The following chapters of this manual describe individual sections of the Administration Console

and the web administration interface.

Note:

1. The Administration web interface and the Administration Console for Kerio Control are

available in 16 localization versions. The Administration interface allows language

selection by simple switching of the flag kerio vpn client error 161 in the top right corner of the window

or by following the browser language preferences. The Administration Console allows

language settings in the Tools menu of the login dialog box.

2. Upon the first login to the Administration Console after a successful Kerio Control

installation, the traffic rules wizard is run so that the initial Kerio Control configuration

can be performed. For a detailed description on this wizard, please refer to chapter 7.17.1.

The wizard is not available in the current version of the Administration interface.

Therefore it is recommended to use the Administration Console for the initial configuration

of Kerio Control (immediately upon the installation).

3.1 Kerio Control Administration web interface

The Kerio Control Administration interface is available at https://server:4081/admin

(server stands for the firewall name or IP address and 4081 for the port of its web interface).

HTTPS traffic between the client and the Kerio Control Engine is encrypted. This protects the

communication from tapping and misuse. It is recommended to use the unsecured version

of the Administration (the HTTP protocol on port 4080) only for local administration of Kerio

Control (i.e. administration from the computer where it is installed).

Upon a successful logon to the Administration web interface, the main window consisting of

two sections is displayed:

• The left kerio vpn client error 161 contains the tree view of sections. Kerio vpn client error 161 better transparency it is

possible to hide or show individual parts of the tree (upon logon, the full tree is

shown).

• The right column lists contents of the section previously selected in the left column.

In most cases, configuration changes in individual sections are performed only at the client’s

side (i.e. in the web browser) and get applied on the configuration file upon clicking on the

Apply button. Therefore, it is possible to use the Cancel button to recover the former settings.

31


Kerio Control administration

Figure 3.1

Main window of the Kerio Control Administration interface

3.2 Administration Console - the main window

After the user has been successfully logged in to the Kerio Control Engine by the Kerio Administration

Console, the main window of the Kerio Control administration plugin is displayed

(further called the “administration window”). This window is divided into two parts:

• The left column contains the tree view of sections. The individual sections of the

tree can be expanded and collapsed for easier navigation. Administration Console

remembers the current tree settings and uses them upon the next login.

• In the right part of the window, the contents of the section selected in the left column

is displayed (or a list of kerio vpn client error 161 in the selected group).

In most cases, configuration changes in individual sections are performed only at the client’s

side and get applied on the configuration file upon clicking on the Apply button. Therefore, it

is possible to use the Cancel button to recover the former settings.

32


3.2 Administration Console - the main window

Figure 3.2

The main window of Administration Console for Kerio Control

Administration Window — Main menu

The main menu provides the following options:

File

• Reconnect — using this option, the connection to the Kerio Control Engine after

a connection drop-out (e.g. after the Engine restart or network failure) can be

restored.

• New connection — opens the main window of the Administration Console. Use

a bookmark or the login dialog to connect to a server.

This option can be useful when the console will be used for administration of

multiple server applications (e.g. Kerio Control at multiple servers). For details,

refer to the Help section in the Administration Console manual.

Note: The New Connection option opens the same dialog as running the Administration

Console from the Start menu.

• Quit — this option terminates the session (users are logged out of the server and

the administration window is closed). The same effect can be obtained by clicking

the little cross in the upper right corner of the window or pressing Alt+F4 or

Ctrl+Q.

The Edit menu (on the welcome page only)

Options under Edit are related to product registration and licensing. The options available

in the menu depend on the registration status (for example, if the product is registered

as a trial version, it is possible to use options of registration of a purchased license or

a change of registration data).

33


Kerio Control administration

• Copy license number to clipboard — copies the license number (the ID licence

item) to the clipboard. This may be helpful e.g. when ordering an upgrade or

subscription, where the number of the base license is required, or when sending

an issue to the Kerio Technologies technical support.

• Register trial version — registration of the product’s trial version.

• Register product — registration of a product with a purchased license number.

• Install license — use this option to import your license key file (for details, see

chapter 4.5).

Help menu

• Show Server’s Identity — this option provides information about the firewall

which the Administration Console is currently connected to (name or IP address

of the server, port and SSL-certificate fingerprint). This information can be used

for authentication of the firewall when connecting to the administration from

another host (see Kerio Administration Console — Help).

• Administrator’s guide — this option displays the administrator’s guide in HTML

Help format. For details about help files, see Kerio Administration Console — Help

manual.

• About — this option provides information about the version of the Kerio Control

and a link to the Kerio Technologies website.

Status bar

The status bar at the bottom of the administration window displays the following information

(from left to right):

Figure 3.3

Administration Console status bar

• The section of the administration window currently selected in the left column. This

information facilitates navigation in the administration window when any part of the

section tree is not visible (e.g. when a lower screen resolution is selected).

• Name or IP address of the server and port of the server application (Kerio Control uses

port 44333).

• Name of the user logged in as administrator.

• Current state of the Administration Console: Ready (waiting for user’s response), Loading

(retrieving data from the server) or Saving (saving changes to the server).

34


3.3 Administration Console - view preferences

Detection of the Kerio Control Engine connection failure

Administration Console is able to detect the connection failure automatically. The failure is

usually detected upon an attempt to read/write the data from/to the server (i.e, kerio vpn client error 161. when the Apply

button is pressed or when a user switches to a different section of Administration Console).

In such case, a connection failure dialog box appears where the connection can be restored.

After you remove the cause of the connection failure, the connection can be restored. Administration

Console provides the following options:

• Apply & Reconnect — connection to the server will be recovered and all changes done

in the current section of the Administration Console before the disconnection will be

saved,

• Reconnect — connection to the kerio vpn client error 161 will be recovered without saving any changes

performed in the particular kerio vpn client error 161 of the console before the disconnection.

If the reconnection attempt fails, only the error message is shown. You can then try to

reconnect using the File → Restore connection option from the main menu, or close the window

and restore the connection using the standard procedure.

Note: After a connection failure, the Administration interface is redirected and opened at the

login page automatically. Any unsaved changes will get lost.

3.3 Administration Console - view preferences

Many sections of the Administration Console are in table form where each line represents

one record (e.g. detailed information about user, information about interface, etc.) and the

columns consist of individual entries for these records (e.g. name of server, MAC address, IP

address, etc.).

The firewall administrators can define — according to their liking — the way how the

information in individual sections will be displayed. When you right-click each of the above

sections, a pop-up menu with Modify columns option is displayed, kerio vpn client error 161. This entry opens a dialog

window where users can select which columns will be displayed/hidden.

This dialog offers a list of all columns available for a corresponding view. Use checking boxes

on the left to enable/disable displaying of a corresponding column. You can also click the

Show all button to display all columns. Clicking on the Default button will restore default

settings (for better reference, only columns providing the most important information are

displayed by default).

The arrow buttons move the selected column up and down within the list. This allows the

administrator to define the order the columns will be displayed.

The order of the columns can also be adjusted in the window view. Left-click on the column

name, hold down the mouse button and move the column to the desired location.

35


Kerio Control administration

Figure 3.4

Column customization in Interfaces

Note:

Move the dividing lines between the column headers to modify the width of the

individual columns.

36


Chapter 4

License and Registration

A valid license is required for usage of Kerio Control after 30-day trial period. Technically, the

product works as this:

• Immediately upon installation, the product works as a 30-day trial version. All features

and options of the product are available except the Kerio Web Filter module and update

of intrusion prevention system rules.

• Trial version can be registered for free. Registered trial version users can use technical

support for the product during the trial period. Registered users can also test the

Kerio Web Filter module and their intrusion prevention system rules are updated

automatically. Registration does not prolong the trial period.

• Upon purchase of a license, it is necessary to register the product using the

corresponding license key. Upon a successful registration, the product will be fully

available according to the particular license policy (for details, see chapter 4.1).

There is actually no difference between the trial and full version of Kerio Control except being

or not being registered with a valid license. This gives each customer an opportunity to install

and test the product in a particular environment during the trial period. Then, once the

product is purchased, the customer can simply register the installed version by the purchased

license number (see chapter 4.4). This means that it is not necessary to uninstall the trial

version and reinstall the product.

If the 30-day trial has already expired, Kerio Control stops working — the Kerio Control

Engine system service gets stopped automatically. Upon registration with kerio vpn client error 161 valid license

number (received as a response to purchase of the product), Kerio Control is available with

full functionality.

Note: Registration of Kerio Control generates a so called license key (the license.key file

— see chapter 25.1). If your license key gets lost for any reason (e.g. after the hard drive

breakdown or by an accidental removal, etc.), you can simply use the basic product’s purchase

number to recover the license. The same method can be used also for change of the firewall’s

operating system (Windows / Software Appliance / VMware Virtual Appliance) — the license

keys cannot be used across different operating systems. If the license number gets lost,

contact the Kerio Technologies sales department.

37


License and Registration

4.1 License types (optional components)

Kerio Control can optionally include the following components: Sophos antivirus (refer to

chapter 14) or/and the Kerio Web Filter module for web pages rating (see chapter 13.3). These

components are licensed individually.

License keys consist of the following information:

Kerio Control license

Kerio Control basic license Its validity is defined by the two following factors:

• Update right expiration date — specifies the date by which Kerio Control can

be updated for free. When this date expires, Kerio Control keeps functioning,

however, it cannot be updated. The time for updates can be extended by

purchasing a subscription.

• Product expiration — by this date Kerio Control stops working — the Kerio Control

Engine service gets stopped automatically.

In this case, you need to register a valid license immediately or uninstall Kerio

Control. It is possible to run Kerio Control for purpose of registering. However,

if a valid license is not installed in 10 minutes, the service is stopped again.

Sophos antivirus license

This license is defined by the two following dates:

• update right expiration date (independent of Kerio Control) — when this date

expires, the antivirus keeps functioning, however, neither its virus database nor

the antivirus can be updated yet.

• plug-in expiration date— specifies the date by which the Sophos antivirus stops

functioning and cannot be used anymore.

Warning:

Owing to persistent incidence of new virus infections we recommend you to use

always the most recent antivirus versions.

Kerio Web Filter subscriptions

Kerio Web Filter module is provided as a service. License is defined only by an expiration

date which specifies when this module will be blocked.

Note: Refer to the Kerio Technologies website (http://www.kerio.com/) to get up-to-date

information about individual licenses, subscription extensions, etc.

4.2 Deciding on a number of users (licenses)

Kerio Control 7 introduces a new system of Internet access monitoring, better corresponding

to the product’s licensing and usage policy. Kerio Technologies licenses this software as

a server with the Admin account and 5 user accounts in the basic license. Users can be added

in packages of five users.

38


4.3 License information

User is defined as a person who is permitted to connect to Kerio Control and its services. Each

user can connect from up to five different devices represented by IP addresses, including VPN

clients.

If any user tries to connect from more than five devices at a time, another user license is used

for this purpose. Although the product formerly did not limit number of connected users, it

used to consider each IP address connected to the server as one user which might have caused

situations where one user used up available licenses even by connecting from two device at

a time.

Warning:

Kerio Control does not limit number of defined user accounts (see chapter 16). However, if

the maximal number of currently authenticated users is reached, no other user can connect.

4.3 License information

The license information can be displayed by selecting Kerio Control (the first item in the

tree in the left part of the Administration Console dialog window — this section is displayed

automatically whenever the Kerio Control administration is entered).

Figure 4.1

Administration Console welcome page providing license information

39


License and Registration

Product

Product name (Kerio Control).

Copyright

Copyright information.

Homepage

Link to the Kerio Control homepage (information on pricing, new versions, etc.). Click on

the link to open the homepage in your default browser.

Operational system

Name of the operating system on which the Kerio Control Engine service is running.

This is an informative item only — the purchased license can be used for any supported

operating system.

License ID

License number or a special license name.

Subscription expiration date

Date until when the product can be upgraded for free.

Product expiration date

Date when the product expires and stops functioning (only for trial versions or special

license types).

Number of users

Maximal number of users authenticated at the firewall at a time (for details, see

chapter 4.2).

Company

Name of the company (or a person) to which the product is registered.

Depending on the current license, links are displayed at the bottom of the image:

1. For unregistered versions:

• Become a registered trial user — registration of the trial version. This type of

registration is tentative and it is not obligatory. The registration provides users

free technical support for the entire trial period.

• Register product with a purchased license number — registration of a purchased

product.

Once purchased, the product must be registered. Otherwise, it will keep behaving

as a trial version!

2. For registered versions:

• Update registration info — this link can be used to update information kerio vpn client error 161 the

person/company to which the product is registered and/or to add subscription

license numbers or add-on licenses (add users).

40


4.4 Registration of the product in the Administration Console

In any case, the registration wizard will be started where basic data are required and additional

data can also be defined. For detailed information on the wizard, refer to chapter 4.4.

If the update checker is enabled (refer to chapter 17.3), the A new version is available, click

here for details. notice is displayed whenever a new version is available. Click on the link to

open the dialog where the new version can be downloaded and the installation can be started

(for details, see chapter 17.3).

Note: Right-clicking in the main page of the Administration Console opens a context pop-up

menu with the same options as are provided in the Edit menu in the main toolbar of the

administration window (see chapter 3.2).

4.4 Registration of the product in the Administration Console

Kerio Control registration, change of registration details, adding of add-on licenses and

subscription updates can be done in the Administration Console by clicking on a corresponding

Share

Professional liability insurance covers the legal costs and damages that result when trusted professionals make mistakes. Here's everything you need to know.

error c2065 oneffect undeclared identifier Learn more about understanding car engine error codes.

Computer dictionary definition for what error means including related links, information, and terms. An error describes any issue that arises unexpectedly that cause a computer to .

We seem to have a problem loading this page. Please try refreshing (F5) your web browser or try again later.     We apologize for this inconvenience. We seem to have a problem load.

To beat procrastination, you must understand why we procrastinate. Find out the 7 common errors people make to procrastinate. A strategist, coach and blogger who shows people how t.

apache mod_ssl ssl_error_rx_record_too_long Share your dream with your entire team and let the team members be a part of it Signing out of account, Standby. Share your dream with your entire team and let the team members b.

kerio vpn client error 161 Grammatical kerio vpn client error 161 is a term used in prescriptive grammar to describe an instance of faulty, unconventional, or controversial usage. Learn more. Maica / Getty Images Grammatical err.

Frequently Asked Questions - Errors The .gov means it’s official.Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a .

An error that occurs when the computer attempts to handle a number that is too large for it. Webopedia is an online information technology and computer science resource for IT prof. kerio vpn client error 161

Grammar, punctuation, spelling and capitalization are four common sources of errors in sentences. You might be a great speaker, but can you pass this quiz on sentence errors? EDUCA. kerio vpn client error 161

تبحث أيضًا عن:

مزيد من المعلومات حول
error 1920

https://free-download-189.montauh.cz
https://free-download-153.lymfodrenaze-roznov.cz
https://free-download-117.kingfishersaravaliresort.in
https://free-download-94.montauh.cz
https://free-download-189.kingfishersaravaliresort.in
https://free-download-148.kingfishersaravaliresort.in
https://free-download-56.supermagndt.in
https://free-download-99.montauh.cz
https://free-download-161.albertomorales.eu


مقالات على موقعنا عن
error 1920

Depending on the environment, there are different reasons that the user authentication against Kerio Connect fails.

Background: When the user synchronization is using the Kerio API, the user authentication is performed against Kerio's IMAP server. When a MailStore user tries to log in into MailStore, MailStore passes the provided credentials to the Kerio IMAP servers and performs a log in attempt. Is this attempt successful, the user is able to log in to MailStore.


Problem: MailStore connects to the Kerio IMAP server via IMAP-TLS or IMAP-SSL and the Kerio IMAP server is using a certificate that is not trusted by MailStore. The connection to the IMAP server cannot be established and the provided credentials cannot be verified.

Solution: Replace the certificate used by Kerio with a certificate that is kerio vpn client error 161 by MailStore or enable the option Ignore SSL Warnings in the directory services Authentication section.


Problem: Kerio Connect is synchronized with an Active Directory and MailStore is synchronized with Kerio Connect. User authentication with Windows Authentication fails.

Solution: MailStore's "Windows Authentication" only works, when MailStore is synchronized with an Active Directory directly. You have to use "Standard Authentication". The MailStore user's "Login Name" has to be entered as username which is usually the user's email address.


Problem: Kerio Connect is synchronized with an Active Directory and MailStore is synchronized with Kerio Connect. User authentication with Standard Authentication fails.

Cause: When a user wants to log in to MailStore, MailStore passes the given user credentials to Kerio Connect's IMAP server. When the IMAP server offers CRAM-MD5 or DIGEST-MD5 authentication in its capabilities, MailStore will use these authentication methods only. These methods require that Kerio Connect knows the clear text password of the user. When Kerio Connect is synchronized with an Active Directory, it never has access to the users' passwords. Therefore, the authentication always fails.

Solution: Log in into Kerio Connect's admin interface. Navigate to ConfigurationSecuritySecurity policyEnabled authentication methods and disable CRAM-MD5 and DIGEST-MD5 authentication methods. Either the authentication method PLAIN or LOGIN or both must be enabled. NTLM is not supported by MailStore, but can be enabled.

Be aware that disabling these authentication methods force IMAP clients to send user passwords as plain text to Kerio Connect. Only STARTTLS and/or IMAPS connections should be allowed then, to add another layer of security.




Article-ID: KB20150424-0-EN (Deutsche Version)

Read these next.

  • Showing End Users How The Sausage Is Made

    Showing End Users How The Sausage Is Made

    Best Practices & General Kerio vpn client error 161 scenario is this1 - End user submits issue via email2 - IT investigates and proves issue is with external vendor3 - IT emails vendor4 - Vendor emails back5 - repeat 3+4 until issue is fixed6 - IT emails end user to say it's fixed, or details how to .

  • MS is finally introducing Server licensing by Virtual Core

    MS is finally introducing Server licensing by Virtual Core

    Software

    Details are still a bit thin, but they say it will be starting on October 1st.With the virtual core licensing option, customers can elect to license Windows Server by the number of virtual cores they are using in virtual machines, making Windows Server ea.

  • Warning for players of Genshin Impact on PC.

    Warning for players of Genshin Impact on PC.

    Security

    I personally have never played this but I know people who do.  I wonder how long until it's fixed.  Would you uninstall a game because of a possible security issue?https://hackaday.com/2022/08/29/genshin-security-impact/

  • Spark! Pro Series - 30 August 2022

    Spark! Pro Series - 30 August 2022

    Spiceworks Originals

    Good morning and welcome to the penultimate Spark! of August 2022. The year seems to be just flying by. Here in Upstate New York the Great New York State Fair is underway, a sure sign that the summer is almost over. If .

  • Snap! Nitrokod malware, backups, Zen 4 CPUs, Artemis 1, Gamescom wrap-up, etc.

    Snap! Nitrokod malware, backups, Zen 4 CPUs, Artemis 1, Gamescom wrap-up, etc.

    Spiceworks Originals

    Your daily dose of tech news, in brief. There were at least a handful of big events in the summer of 1969, including the Apollo 11 landing. Yet another event occurred that summer, one that the public hardly noticed, but it has proven to have a last.

  • 1 Kerio Control Administrator s Guide Kerio Technologies

    2 2015 Kerio Technologies s.r.o.

    3

    4

    5

    6 Configuring IPsec VPN tunnel (Kerio Control and another device) IPsec tunnel overview Default values in Kerio Control Supported ciphers Configuring traffic rules How traffic rules work Configuring traffic rules Port mapping Other examples User accounts and groups in traffic rules Demilitarized zone (DMZ) Policy routing Configuring IP address translation Error 017 undefined symbol reateobject kerio vpn client error 161 translation (NAT) overview Configuring IP address translation A default NAT rule description Configuring traffic rules multihoming Multihoming overview Configuring traffic rules limiting Internet access Limiting Internet Access Configuring traffic rules exclusions Configuring exclusions Troubleshooting traffic rules Overview Seeking dropped packets Testing traffic rules Configuring Demilitarized Zone (DMZ) Demilitarized Zone (DMZ) Configuring DMZ Configuring policy routing Policy routing overview Configuring a preferred link for traffic Configuring an optimization of network traffic load balancing

    7

    8 Unlocking rules Examples Adding new URLs for automatic updates Blocking Facebook Allowing all content from Samepage.io Related articles Eliminating Peer-to-Peer traffic Peer-to-Peer (P2P) networks Configuring/Adding the P2P traffic rule Configuring parameters for detection of P2P networks Configuring HTTP cache HTTP cache overview Configuring HTTP cache Configuring TTL Cache status and administration Filtering web content by word occurrence Kerio Control word filter overview Adding a new forbidden word Using Kerio Control Web Filter Kerio Control Web Filter overview Enabling Kerio Control Web Filter Testing URLs Creating a URL whitelist Using Web Filter in URL rules Filtering HTTPS connections Overview Configuring HTTPS filtering Setting HTTPS filtering exceptions Excluding traffic to/from web applications Excluding users from the HTTPS filtering Importing a certificate for an untrusted web applications into Kerio Control Installing certificates to Kerio Control Configuring proxy server Overview

    9

    10

    11

    12 Protecting users against password guessing attacks Protecting against password guessing attacks Creating user groups in Kerio Control User groups overview Creating user kerio vpn client error 161 Creating local groups Configuring SSL certificates in Kerio Control SSL certificates overview Creating a new Local Authority Creating a certificate signed by Local Authority Creating a certificate signed by a Certification Authority Intermediate certificates Configuring IP address groups Using IP address groups Adding a new IP address group Adding item into existing address group Moving items from one IP address group to another Creating time ranges in Kerio Control Time ranges overview Defining time ranges Configuring URL groups Using URL groups Defining a new URL group Using services Services Using services Creating service groups Monitoring active hosts Overview General Activity Connections Histogram Monitoring VPN clients Overview Disconnecting a VPN client

    13 Monitoring alert messages Overview Configuring alerts Alert log Monitoring user statistics Overview Volume of transferred data and quota usage Traffic Charts Monitoring System Health in Kerio Control Kerio vpn client error 161 Using and configuring logs Kerio vpn client error 161 overview Logs Context Menu Log highlighting Logs Settings Detailed articles Logging packets Packet logging Configuring packet logging Logical Expression Interpretation of logical expressions Variables Examples Creating and downloading packet dumps Log packet formatting Log packet formatting Creating expressions Default template Variables Using the Config log Config log overview Reading the Config log Using the Connection log Connection log overview Reading the Connection log

    14 Using the Debug log Debug log overview Using the Debug log Using the Dial log Dial log overview Reading the Dial log Using the Error log Error log overview Reading the Error log Using the Filter log Filter log overview Reading the Filter log Example of a URL rule log message Packet log example Using the Host log Host log overview Reading the Host log An example of user registration An example of IP address leased from DHCP An example of registering and removing an IPv6 address Using the Http log Http log overview Reading the Http log An example of an Http log record in the Apache format An example of Http log record in the Squid format Using the Security log Security log overview Reading the Security log Intrusion prevention system logs Anti-spoofing log records FTP protocol parser log records Failed user authentication log records Information about the start and shutdown of the Kerio Control Engine and some Kerio Control components Updating components

    15 Using the Warning log Warning log overview Reading the Warning log Using the Web log Web log overview Reading the Web Log Using IP tools in Kerio Control About IP tools Ping Traceroute DNS Lookup Whois SNMP monitoring Configuring Kerio Control Cacti Generating a Software Appliance installation USB flash disk Generating a Software Appliance installation USB flash disk Linux Mac OS X Automatic user authentication using NTLM Automatic user authentication using NTLM overview General conditions Configuring Kerio Control Web browsers NTLM authentication process FTP over Kerio Control proxy server FTP over proxy server overview Configuration files Configuration files kerio vpn client error 161 Configuring backup and transfer Backup and transfer Tips for tablets Tips

    16 Legal Kerio vpn client error 161 Trademarks and registered trademarks Used open source software

    17 Installing Kerio Control Product editions 1. text 2. text Software Appliance Kerio Control Software Appliance is a package of Kerio Control and a special Linux-based operating system. Install the appliance on a PC without an operating system. Virtual Appliance Kerio Control Virtual Appliance is the software appliance edition pre-installed on a virtual host for the particular hypervisor. Virtual appliances for VMware and Hyper-V are available. Kerio Control Box Kerio Control Box is a hardware device with Kerio Control Software Appliance pre-installed. Two models are available. For more details, refer to the Setting up Kerio Control Box article. Installing Software Appliance edition Install this edition on a PC without operating system. Watch the Installing the Software Appliance edition video. Any existing OS and files on the target hard disk will be erased! For hardware requirements, read Technical Specifications. 1. Download the ISO image from the Download page. 2. Select one of these actions: Burn the ISO image on a CD/DVD Use the ISO image to create a bootable USB flash disk 17

    18 Installing Kerio Control 3. Boot from the appropriate drive. The installation runs automatically. 4. Follow the instructions on the computer s console to perform the basic configuration. 5. To perform the initial setup, open the following address in your web browser: 6. Follow the Activation Wizard. After finishing the wizard, Kerio Control displays the login page. Installing VMware Virtual Appliance For hardware requirements and supported VMware products, read Technical Specifications. For VMware Server, Workstation, Player and Fusion: 1. Download the zipped VMX package from the Download page and error creating direct3d 9 arma 2. 2. Open the.vmx file in your VMware hypervisor. For VMware ESX and ESXi: 1, kerio vpn client error 161. Copy the.ovf file location from the Download page. 2. Paste the OVF file location into the import dialog in your VMware hypervisor. After the import, it is recommended to check the shutdown and restart actions settings for the imported virtual machine. To avoid loss of data in the virtual appliance, use "soft power operations" (Shutdown Guest and Restart Guest). Complete the installation: 1. Follow the instructions on the virtual appliance console to perform the basic configuration. 2. To perform the initial setup, open the following address in your web browser: 3. Follow the Activation Wizard. For more details, read the Configuring the Activation Wizard article. After finishing the wizard, Kerio Control displays the login page. 18

    19 1.4 Installing virtual appliance for Hyper-V Installing virtual appliance for Hyper-V For hardware requirements and supported Hyper-V hypervisors, read Technical Specifications. Kerio Control Virtual Appliance for Hyper-V is distributed as a virtual hard disk. 1. Download the Hyper-V package from the Download page. changed. After importing the appliance into Hyper-V, the location cannot be 2. Go to the Server Manager control panel to add the Hyper-V role (Roles Add Roles). 3. Chernobyl terrorist attack serial number to the Hyper-V Manager control panel and select the local Hyper-V server. 4. Run the new virtual machine wizard kerio vpn client error 161 Virtual machine). 5. As the virtual machine location, select the directory with the unpacked virtual harddisk. Assign RAM and virtual network adapters (read Technical Specifications). 6. Select Use existing kerio vpn client error 161 harddisk. Browse for the virtual harddisk unpacked from the distribution package. 7. After finishing the wizard, connect to the virtual appliance and start it. 8. Follow the instructions on the virtual appliance console to perform the basic configuration. 9. To perform the initial setup, canon pixma mp190 e5 error the following address in your web browser: Follow the Activation Wizard. After finishing the wizard, Kerio Control displays the login page. 19

    20 Eror slave/open_relay_connection error from relay request the Activation Wizard Configuring the Activation Wizard The first logon to the administration interface after the installation automatically runs the product activation wizard: Step 1: Select a language This language is used by the activation wizard and it is also is set as a default language after the first logon to the administration interface. You can change the language settings later. Step 2: Setup connection This step appears only if Kerio Control is not able to connect to the Internet. Select an interface connected to the Internet. Configure the connection method (DHCP, static configuration or PPPoE) and specify the required parameters. If your internet connection is configured properly, click Next. You can use other options: It is also possible to select the Activate in unregistered mode link and register Kerio Control later. If you have a file with license, select the Register offline by license file link. Step 3: Set the time zone, date and time Kerio Control requires a correct configuration of the kerio vpn client error 161, time and time zone. Select your time zone and verify the date and time settings. We recommend to enable synchronization of time against a time server. Kerio Control uses the NTP servers of Kerio Technologies. Step 4: Activate Kerio Control This step allows you to: register a license number of the purchased product purchase Kerio Control 20

    21 2.1 Configuring the Activation Wizard use the 30-day trial version put the license.key file into Kerio Control skip the registration and register Kerio Control later Figure 1 Licensing dialog Register Kerio Control trial version Registration of the trial version allows testing of features unavailable in the unregistered trial version: the Kerio Control Web Filter module, updates of the integrated antivirus engine, the intrusion prevention system, free technical support for the kerio vpn client error 161 trial period. 1. Click Trial in the Licensing dialog. 2. In the Registered trial activation dialog, type your trial license number (see figure 2). If you do not have a license number, click Get a Trial License number link. 3. Enter the security code displayed in the picture and click Next. 21

    22 Configuring the Activation Wizard Figure 2 Licensing dialog 4. Click the Finish button. Registration of the trial version does not prolong the trial period. Insert Kerio Control license number For registration, you need a license number for the purchased product. 1. Click License in the Licensing dialog. 2. In the next step, click Enter license. 3. Insert the license number and enter the security code displayed in the picture (see figure 4). 22

    23 2.1 Configuring the Activation Wizard Figure 3 Licensing dialog 4. In the License details dialog, verify the license details. If you want to add other license numbers, click Register multiple license numbers. 5. In the Contact details dialog, type your contact information. Upon a successful registration, the product is activated with a valid license. 23

    24 Configuring the Activation Wizard Figure 4 License Activation and Registration dialog Purchasing Kerio Control To purchase Kerio Control: 1. Click License in the Licensing dialog. 2. In the next step, click Buy. This opens in your browser. 3. At purchase Kerio Control. Register offline with a licence key If you have a file with a license key from your previous installation of Kerio Control (usually license.key), you can use link Register offline by license file (see screenshot 4). 24

    25 2.1 Configuring the Activation Wizard Activate Kerio Control in unregistered mode 1. In the Licensing dialog, click Trial. 2. In the Registered trial activation dialog, click Activate in unregistered mode. Step 5: Help us make Kerio Control even better Information on the product usage helps us develop Kerio Control as close to your needs as possible. By sending your usage statistics, you participate in the product improvement. Statistics do not include any confidential data (passwords, addresses, etc.) and you can disable it any time under Advanced Options Updates. Step 6: Set the password for the administrator user account and sending alerts Setting administrator password Type the admin password i.e. the password of the main administrator of the firewall. Username Admin with this password is then used for: Access to the administration of the firewall via the web administration interface Logon to the firewall s console. Remember this password and keep it from anyone else! Sending default alerts Kerio Control can send automatic messages (alerts) about important events. To enable sending alerts to defined address: 1. Select Do you want to receive default alerts? 2. Type your address to the address field. Kerio Control associates this address with the default Kerio Control Admin account. From now on, Kerio Control includes the predefined alerts group in the Accounting and Monitoring Alert Settings (see screenshot below). For more information about particular alerts, refer to Using Alert Messages. 25

    26 Configuring the Activation Wizard Figure 5 Alert Settings tab Ensure your Kerio Control is connected to an SMTP server for sending alerts. Read more in the Configuring the SMTP server article. After finishing the wizard, login page appears. configure your Kerio Control. Use the admin credentials for login and 26

    27 Configuration Assistant Configuration Assistant overview The configuration assistant is used for an easy instant basic configuration of Kerio Control. By default, it is opened automatically upon logon to the administration interface. If this feature is disabled, you can start the wizard by clicking on Configuration Assistant on Dashboard. Figure 1 Configuration Assistant It is not necessary to use the configuration assistant or its individual features. Experienced administrators can configure Kerio Control without these tools. The configuration assistant allows the following settings: 27

    28 Configuration Assistant Configure Internet connection and the local network Once these parameters are configured, the Internet connection (IPv4) and access from local devices behind the firewall should work. The wizard automatically configures the DHCP server and the DNS forwarder modules. Select your connectivity mode: Single Internet Link 1. On the first page of the wizard, select A Single Internet Link. 2. Click Next. 3. Select a network interface (Internet link). 4. Select mode: Automatic the interface where Kerio Control detected the default gateway is used. Therefore, in most cases the appropriate adapter is already set within this step. Manual you can change configuration of the default gateway, DNS servers, IP address and subnet mask. If the more IP addresses are set for the interface, the primary IP address will be displayed. PPPoE enter the username and password from your Internet provider. 5. Click Next. 6. Select interface connected to the local network. If multiple interfaces are connected to the local network, select the interface you are currently using for connection to the Kerio Control administration. 7. Click Next. 8. Verify your configuration and click Finish. You can check the result in section Interfaces. The Internet Interfaces group includes only the Internet interface selected in the second page of the wizard. The LAN adapter selected on the third page of the wizard is included in the group Trusted/Local Interfaces. Other interfaces are added to the group Other Interfaces. For these interfaces, it will be necessary to define corresponding traffic rules manually (e.g. DMZ creation rule). 28

    29 3.1 Configuration Assistant overview Two Internet links with load balancing If at least two Internet links are available, Kerio Control can divide traffic between both of them: 1. On the first page of the wizard, select Two Internet links with load balancing. 2. Click Next. 3. Select two interfaces to be used as Internet links with traffic load balance. For each link it is kerio vpn client error 161 to specify link weight, i.e. its relative throughput. The weight of individual links indicates how Internet traffic is distributed among the links (it should correspond with their speed ratio). Example You have two Internet links with connection speed 4 Mbit/s and 8 Mbit/s. You set weight 4 for the first link and weight 8 for the other one. The total Internet connection load will therefore be divided in the proportion 1:2. 4. Select mode: Automatic the interface where Kerio Control detected the default gateway is used. Therefore, in most cases the appropriate adapter is already set within this step. Manual you can change configuration of the default gateway, DNS servers, IP address and subnet mask. If the more IP addresses are set for the interface, the primary IP address will be displayed. PPPoE enter the username and password from your Internet provider. 5. Click Next. 6. Select the interface connected to the local network. If multiple interfaces are connected to the local network, select the interface you are currently using for connection to the Kerio Control administration. 7. Click Next. 8. Verify your configuration and click Finish. You can check the result in section Interfaces. The Internet Interfaces group includes the Internet links selected in the third page of the wizard. 29

    30 Configuration Assistant Only the LAN adapter selected on the third page of the wizard is included in the group Trusted/Local Interfaces. Kerio vpn client error 161 interfaces are added to the group Other Interfaces. For these interfaces, it will be necessary to define corresponding traffic rules manually (e.g. DMZ creation rule). Two Internet links with failover Kerio Control allows guarantee Internet connection by an alternative (back-up) connection. This connection back-up is launched automatically whenever failure of the primary connection is detected. When Kerio Control finds out that the primary connection is recovered again, the secondary connection is disabled and the primary one is re-established automatically. 1. On the first page of the wizard, select Two Internet links with failover. 2. Click Next. 3. Select a network interface to be used for the primary connection and for the secondary connection. 4. Select mode: Automatic the interface where Kerio Control detected the default gateway is used. Therefore, in most cases the appropriate adapter is already set within this step. Manual you can change configuration of the default gateway, DNS servers, IP address and subnet mask. If the more IP addresses are set for the interface, the primary IP address will be displayed. PPPoE enter the username and password from your Internet provider. 5. Click Next. 6. Select the grub hard disk error asplinux connected to the local network. If multiple interfaces are connected to the local network, select the interface you are currently using for connection to the Kerio Control administration. 7. Click Next. 8. Verify your configuration and click Finish. You can check the result in section Interfaces. Only the LAN adapter selected on the third page of the wizard is included in the group Trusted/Local Interfaces. 30

    31 3.1 Configuration Assistant overview Other interfaces are considered as not used and added to the group Other Interfaces. For these interfaces, it will be necessary to define corresponding traffic rules manually (e.g. DMZ creation rule). When using failover, only two Internet Connections may be applied, one for the primary, and the other as a failover. General notes A default gateway must not be set on any of the local interfaces, kerio vpn client error 161. If the interface configuration does not correspond with the real network configuration, edit it (e.g. if the firewall uses multiple interfaces for the local network, move corresponding interfaces to the group Trusted/Local Interfaces). Define traffic policy New in Kerio Control 8.3! The network rules wizard enables you to configure only a basic set of traffic rules: 1. In the Kerio vpn client error 161 Assistant dialog, click Define traffic policy. 2. Enable any of the following options: VPN services connection to the Kerio VPN server or IPsec VPN server. Enable these services if you want to create VPN tunnels and/or connect remotely to the local network by using Kerio VPN Client or IPsec VPN clients. Kerio Control Administration enables remote administration of Kerio Control. This option allows HTTPS traffic on port 4081 (you cannot change the port of the administration interface). Web Services enables the HTTP/S communication on the 80/443 ports. Check this option, if you want to have your public web servers behind the firewall (mailserver, your company website, etc.). 3. Click Next. 4. To make any other services on the firewall or servers in the local network available from the Internet (mapping), click Add (see screenshot 3). 31

    32 Configuration Assistant Figure 2 Inbound policy Figure 3 Inbound policy create your own rules 5. In the Inbound policy section, you can configure the following parameters: Service (or a group of services) select services from the list of defined services or define a protocol and a port number. Runs on firewall or IP address of the local server on which the service is running. 32

    33 3.1 Configuration Assistant overview 6. Arrage the rules by order with arrows on the right side of the window. The rules are processed from the top downwards and the first matched rule is applied. 7. Click Finish. You can perform advanced configuration in the Traffic Rules section. Configuring traffic rules article. Read more in the Export your configuration Configuration is exported to a.tgz package (the tar archive compressed by gzip) which includes all the key Kerio Control configuration files. Optionally, it is possible to include SSL certificates in the package. Exported configuration does not include Kerio Control license key. Kerio Control 8.1 or newer can automatically upload configuration files to Samepage.io (read article Saving configuration to Samepage for more information). Import configuration To import configuration, simply browse for or enter the path to the corresponding file which includes the exported configuration (with the.tgz extension). If network interfaces have been changed since the export took place (e.g. in case of exchange of a defective network adapter) or if the configuration is imported from another computer, Kerio Control will attempt to pair the imported network interfaces with the real interfaces on the machine. This pairing can be customized you can match each network interface from the imported configuration with one interface of the firewall or leave it unpaired. If network interfaces cannot be simply paired, it is desirable to check and possibly edit interface group settings and/or traffic rules after completion of the configuration import. Register product See article Configuring the Activation Wizard. 33

    34 Licenses and registrations Deciding on a number of users (licenses) Kerio Control is licensed as a server with the Admin account and 5 user accounts in the basic license. Users can be added in kerio vpn client error 161 of five users. User is defined as a person who is permitted to connect to Kerio Control. Each user can connect from up to five different devices represented by IP addresses, including VPN clients. Guests and their devices are excluded from the licencing system. If any user tries to connect from more than five devices at a time, another user license is used for this purpose. Current license usage is displayed in the administration interface on Dashboard. Kerio Control does not limit number of defined user accounts. However, if the maximal number of currently authenticated users is reached, no other user can connect. Licenses, optional components and Software Maintenance Kerio Control has the following optional components: Sophos antivirus Kerio Control Web Filter module for web pages rating These components are licensed individually. Software Maintenance Software Maintenance is a right to update the software. If Software Maintenance expires, it is still possible to keep using the existing version of the product, but it is no longer possible to update for versions released after the expiration date. Updates will be available again upon purchasing of Software Maintenance for a new period. Registering Kerio Control in the administration interface If you skip the registration in the Activation Wizard, you can register the product from Dashboard in the administration interface kerio vpn client error 161 after each login). When installed, the product can be registered as trial or as a full version. 34

    35 4.4 Registering Kerio Control via WWW If your trial version is registered, the license file will be automatically imported to your product within 24 hours from your purchase. The Trial ID you entered in your product upon registration will be activated as a standard license number. If you haven t registered your trial version: 1. Open the administration interface. 2. Click Configuration Assistant on Dashboard. Figure 1 Configuration Assistant 3. In the Configuration Assistant dialog, click Register product. If you need any help, read the Configuring the Activation Wizard article. Registering Kerio Control via WWW If you purchased a license and your Kerio Control cannot access the Internet, follow these steps to register the product: 1. Go to 2. Register using your purchased license number. 3. By registering, you will download a license key (the kerio vpn client error 161 file including the corresponding certificate) which must be imported to Kerio Control. 35

    36 Licenses and registrations Importing license key 1. Prepare the file with license. 2. Open the administration interface. 3. Click Configuration Assistant on Dashboard (see screenshot 1). 4. Click Register product. If you need any help, read the Configuring the Activation Wizard article. On Dashboard in the License section you can check that the license was installed successfully. 36

    37 Using Dashboard in Kerio Control Dashboard overview Kerio Control includes a customizable Dashboard. Dashboard consists of tiles. Each tile displays a different type of information (graphs, statistics, Kerio News, etc.) Dashboard is displayed in Kerio Control after each login. To display Dashboard later, go to Configuration Dashboard. 37

    38 Configuring the Kerio Control web interface Using HTTP for access to web interface Kerio Control Web Interface is encrypted with SSL by default. If you need to switch to the HTTP connection: 1. Go to the administration interface. 2. In Advanced Options Web Interface, uncheck Force SSL secured connection. Unchecking of this option is a security risk. 3. Click Apply. Using a specified hostname The default hostname of Kerio Control is control. If Kerio Control is a member of a domain (e.g. example.com), complete hostname will be control.example.com. If Kerio Control is not a member of a domain, the hostname will be only control. In this case a problem could occur on older operating systems (e.g. Windows XP). Users cannot authenticate Kerio Control because the operating system is not able to read a one-word hostname. These operating systems need a hostname with at least kerio vpn client error 161 words separated by a dot (e.g. control.mycompany). If you want to change the hostname, use the following steps: 1. In the administration interface, go to Advanced Options Web Interface. 2. Select Use specified hostname and type a hostname (for example firewall.mycompany.com). 3. Click Apply. Changing a SSL certificate The principle of an encrypted Kerio Control web interface is based on the fact that all communication between the client and server is encrypted with SSL. For this reason you kerio vpn client error 161 a valid SSL certificate (see article Configuring SSL certificates in Kerio Control). 38

    39 6.3 Changing a SSL certificate To change the current SSL certificate: 1. Go kerio vpn client error 161 the administration interface. 2. In the Advanced Options Web Interface, select a certificate in the Certificate list. 3. Click Apply. 39

    40 Configuring network interfaces Interfaces overview Kerio Control represents a gateway between two or more networks (typically between the local network and the Internet) and controls traffic passing through network adapters which are connected to these networks. In Kerio Control, you can define the following groups of interfaces: Internet Interfaces interfaces which can be used for Internet connection, Trusted / Local Interfaces interfaces connected to local private kerio vpn client error 161 protected by the firewall, IPsec and Kerio VPN interfaces virtual network interfaces (Kerio VPN, IPsec VPN), Guest Interfaces interfaces which can be used for Guest LANs. See Configuring guest networks, for more information. Other interfaces interfaces which do not belong to any of the groups listed above (i.e. dial-like links). Adding a new interface to the Interfaces section Interfaces in Kerio Control represents: Network adapter Each new network adapter in the Kerio Control computer displays as an interface in the Kerio vpn client error 161 section. If you use a Kerio Control Software Appliance, you must put a new network adapter (NIC) to the Error_more_data linux socket Control computer. If you use a Kerio Control Virtual Appliance, you must create a new network adapter in your Hyper-V or VMware environment. Port in Kerio Control Box Kerio vpn client error 161 the Interfaces section displays LAN switch interface. You can take a port from the switch and make it a standalone interface from the port. VLAN If your network architecture is built on VLANs, you can add VLANs as interfaces. 40

    41 7.3 Configuring interfaces Configuring interfaces A configuration wizard is available for the setup of basic interface parameters: 1. In the administration interface, go to Interfaces. 2. Click More Actions Configure in Wizard. 3. Read the Kerio vpn client error 161 Assistant article. During the initial firewall configuration by the wizard, interfaces will be arranged into groups automatically. This classification can be changed later. Moving an interface to another group To move an interface to another group, drag it by mouse to the desired destination group, or select the group in the properties of the particular interface see below. Configuring Internet connectivity For networks using IPv4, it is possible to use one or more Internet connections. 1. In the administration interface, go to Interfaces. 2. Select one of the following options: A Single Internet Link the most common connection of local networks to the Internet. In this case, only one Internet connection is available and it is used persistently. It is also possible to use dial-like links kerio vpn client error 161 can be connected persistently typically PPPoE connections. Only a single link connection is for IPv6. Multiple Internet Links - Failover if the primary link fails, Kerio Control switches to the secondary link automatically. When the connection on the primary link is recovered, Kerio Control automatically switches back to it. Multiple Internet Links - Load Balancing Kerio Control can use multiple links concurrently and spread data transferred between the LAN and the Internet among these links. In standard conditions and settings, this also works as connection failover if any of the links fails, transferred data are spread among the other links. 3. Click Apply. 41

    42 Configuring network interfaces Adding tunnels You can add an interface for a new type of tunnel: PPTP use when your DSL provider requires this type of protocol. PPPoE use when your DSL provider requires this type of protocol. L2TP use when your DSL provider requires this type of protocol. VPN Configuring PPPoE mode in the Internet interface Configuring PPPoE mode in the Internet interface is recommended if you use a single Internet link. The advantage is using only one interface. You need the following information from your provider: username password 1. In the administration interface, go to Interfaces. 2. Double-click on the Internet interface. 3. Select PPPoE mode. 4. In the PPPoE Interface Properties dialog, type a new interface name. 5. Type the username and password. 6. Save the settings. Configuring PPPoE tunnel If this connection is used as a single Internet link, it is recommended to define PPPoE connection in the Ethernet interface. If you need to create another interface to the Internet, use these instructions: 1. In the administration interface, go to Interfaces. 2. Click Add PPPoE. 3. In the PPPoE Interface Properties dialog, type a new interface name. 4. The Interface Group leave as it is. You can change it later. 42

    43 7.5 Adding tunnels 5. On tab Dialing Settings, select the interface. If you set the interface to Any, Kerio Control will automatically kerio vpn client error 161 the appropriate interface which will be used for connection. 6. Type the username and password from your provider. 7. Set time intervals in which the connection should be established persistently and when it should be disconnected. Out of these intervals, the link will demand manual dialing. automatically after defined period of idleness. The link kerio vpn client error 161 be hung up Configuring PPTP tunnel You need the following information from your provider: PPTP server hostname username and password for PPTP server access 1. In the administration interface, go to Interfaces. 2. Click Add PPTP. 3. In the PPTP Interface Properties dialog, type a new interface name. 4. The Interface Group leave as it is. You can change it later. 5. On tab Dialing Settings, type the PPTP server hostname, username and password. 6, kerio vpn client error 161. Set time intervals in which the connection should be established persistently and when it should be disconnected. Out of these intervals, the link will demand manual dialing. automatically after defined period of idleness. The link can be hung up 7. Save the settings. Configuring L2TP tunnel This procedure is described in the Configuring L2TP tunnel article. 43

    44 Configuring network interfaces VPN tunnel Read more in special articles Configuring Kerio VPN tunnel and Configuring IPsec VPN tunnel. Configuring Ethernet ports Box Edition Kerio Control Box contains Gigabit Ethernet ports. Individual ports can be set as: Standalone interface Switch for LAN Not assigned the port will be inactive. It is also possible to use a virtual network (VLAN). 1. In the administration interface, go to Interfaces. 2. Click Manage Ports. 3. In the Manage Ports dialog, double-click Port Name. 4. In the Configure Port dialog, you can set a port as: Standalone interface the port will be used as a standalone Ethernet interface. Switch for LAN port will be a part of the switch which, in Kerio Control, behaves as one Ethernet interface. Not assigned the port will be inactive. This can be used for example for temporary disconnection of the computer of a network segment connected to the port. 5. Speed and duplex leave as it is. 6. On Ethernet interfaces, you can create one or more tagged virtual networks (VLAN). 7. Save the settings. Appliance Editions Appliance editions can set speed and duplex mode for Ethernet interfaces and create virtual networks (VLAN) on these interfaces: 1. In the administration interface, go to Interfaces. 2. Click Manage Ports. 44

    45 7.6 Configuring Kerio vpn client error 161 ports 3. In the Manage Ports dialog, double-click Port Name. 4. Set Speed and duplex. In most cases, interconnected devices agree on speed and communication mode automatically. 5. On Ethernet interfaces, you can create one or more tagged virtual networks (VLAN). 6. Save the settings. Physical interfaces (ports) cannot be added to the LAN switch. This functionality is available only in the box edition. 45

    46 Configuring L2TP tunnel L2TP tunnel overview Kerio Control supports L2TP (Layer 2 Tunneling Protocol). Internet providers may use L2TP for creating tunnel for connecting you to the Internet. Configure L2TP interface when your provider requires this type of protocol. Kerio Control also uses L2TP as a part of the IPsec VPN solution. This article describes how the L2TP interface connects your company with the internet provider. Prerequisities You need the following information from your provider: L2TP server hostname username and password for L2TP server access Configuring L2TP tunnel You have to use L2TP interface when your provider uses L2TP for connecting you to the Internet. 1. In the administration interface, go to Interfaces. 2. Click Add L2TP. 3. In the L2TP Interface Properties dialog, type a new interface name. 4. Leave the Interface Group as it is. You can change it later. 5. On tab Dialing Settings, type the L2TP server hostname, username and password. 6. Set time intervals in which the connection should be established persistently and when it should be disconnected. When the time interval is exceeded, the link demands manual dialing. The link can be hung up automatically after defined period of idleness. 7. Save the settings. When the Status is Up in the Interfaces section, the L2TP tunnel is active. 46

    47 8.3 Configuring L2TP tunnel Go to Dial log for more details about L2TP communications and dialing the line (see article Using the Dial log). Configuring L2TP tunnel with public IP address If your provider uses a public IP address in the L2TP interface, use additional steps: 1. In the administration interface, go to Interfaces. 2. Change Internet connectivity to Multiple Internet Links - Load Balancing. Figure 1 Load balancing configuration 3. Add L2TP tunnel (see above). 4. In Interface Group, select Internet Interfaces. 5. Enable Use for Link Load Balancing in the L2TP Interface Properties dialog. Figure 2 L2TP Interface Properties 47

    48 Configuring L2TP tunnel 6. Disable Use for Link Load Balancing in the Ethernet Interface Properties dialog. Figure 3 Ethernet Interface Properties 7. Save the settings. Figure 4 The result When the Status is Up in the Interfaces section, the L2TP tunnel is active. Go to Dial log for more details about L2TP communication and dialing the line (see article Using the Dial log). 48

    49 Kerio vpn client error 161 the guest network Guest network overview New in Kerio Control 8.4.0! Watch the Configuring the guest network video. The guest network in Kerio Control offers your company s guests Internet access secured by Kerio Control. Guests can connect to your network without a Kerio Control username and password. Guests are not counted as licensed users. Kerio Control gathers statistics for the guest network under the built-in Guest users account. Users connected through the guest network are fully secured by Kerio Control., except that Kerio Control Web Filter is disabled in the guest network. Users connect to the guest network from a welcome page. You can set a shared password for accessing the Internet via a guest network. Guest users must type the shared password on the welcome page. Kerio Control redirects guest network users to kerio vpn client error 161 welcome page after 2 hours of inactivity. Assigning guest interfaces To create a guest network move an existing interface to the Guest Interfaces group. To learn how to add a new interface to the Interfaces section, read Configuring network interfaces. 49

    50 Configuring the guest network To add one or more interfaces to the Guest Interfaces group: 1. In the administration interface, go to Interfaces. 2. Find the interface created for guests. 3. Drag that interfaces to the Guest Interfaces group. Figure 1 Section Interfaces 4. Click Apply. Kerio Control creates the guest network and your guests can now connect to your company s Internet connection. Setting DHCP scope Interfaces from the Guest Interfaces group behave just like any interface from the Trusted/Local Interfaces or Other Interfaces group. If the DHCP server in Kerio Control is enabled and you use automatic mode, the scope will be generated automatically. If you configure DHCP scopes manually, you must create a new one for each guest network. Read more in Using DHCP module. Customizing the welcome page When your guests access the Internet via the guest network, they see a welcome page. You can customize the page in Kerio Control, but you cannot disable it. 1. In the administration interface, go to Domains and User Login. 2. On the Guest Interfaces tab, type your own welcome text. 50

    51 9.5 Setting shared password for guest users You can format the message in HTML. You can also add a custom logo in the Advanced Options Web Interface section. 3. Click Apply. Your guests now see this text on the welcome page. Creating HTML content in your Welcome page You can format the page in HTML. You can also add links to external websites accessible via HTTP (for example: <a href= >HTTP link</a>), kerio vpn client error 161. These web pages are accessible even without clicking on the Continue button. However, ensure that the linked kerio vpn client error 161 do not require any external content (scripts, fonts, etc.), because this content will not be available. Setting shared password for guest users To set up a password guests can use to access the Internet via the guest network, customize it in Kerio Control: 1. In the Kerio Control administration, go to Domains and User Login. 2. On the Guest Interfaces tab, check the Require users to enter password option. 3. In the Password field, type the password. All guests must use this password to access the Internet via guest network. 4. Click Apply. Your guests must login with the password to access the Internet via guest network by typing the password on the welcome page. Traffic rules for the guest network Traffic rules in Kerio Control include two rules that concern guest interfaces. In the Internet access (NAT) outgoing rule, all guest interfaces are included. The Guests traffic rule allows the traffic from all guest interfaces access to the firewall with a Guest services group. 51

    52 Configuring the guest network Figure 2 Traffic rules tab Guests can access the firewall and Internet only. Traffic rules cannot override it. This is a hard-coded behavior. 52

    53 Configuring VLANs VLAN support in Kerio Control VLANs (Virtual LANs) are virtual networks created on a single physical Ethernet interface (trunk interface). Kerio Control supports 802.1Q VLANs. You can create up to 4094 VLANs on each Ethernet interface, kerio vpn client error 161. Each VLAN works as a standalone interface. standard way (as an untagged VLAN). The physical Ethernet interface works the Creating VLAN interfaces To define new VLANs: 1. Go to section Configuration Interfaces. 2. Double-click the Ethernet interface. 3. Open the VLAN tab. 4. Click Add or Remove VLANs Check Create VLAN subinterfaces. 6. Type VLAN IDs separated by semicolons. VLAN ID is a number between 1 and Kerio Control creates a new network interface for each VLAN. The new interfaces are added kerio vpn client error 161 the Other Interfaces group. 7. You backtrace php error move VLANs to other interface groups. 8. Double-click a VLAN interface to set the IPv4 and/or IPv6 parameters. Now you can use the VLAN interface in traffic rules. Removing VLAN interfaces To remove a VLAN, remove the VLAN ID from the trunk interface: 1. Go to section Configuration Interfaces section. 2. Double-click the Ethernet interface. 53

    54 Configuring VLANs 3. Open the VLAN tab. 4. Click Add or Remove VLANs Delete the VLAN ID from the list. To remove all VLANs, uncheck the Create VLAN subinterfaces option. The VLAN interface is removed from the Interfaces section and from all traffic rules. 54

    55 Changing MAC addresses of network interfaces Overview New in Kerio Control A Kerio vpn client error 161 address identifies devices on a network. Some routers or Internet service providers permit only specific MAC addresses. When you need to use a device or network adapter with a specific MAC address on your side, you can change the MAC address of a network interface in Kerio Control. Changing MAC addresses To override the MAC address: kerio vpn client error 161. In the administration interface, go to Interfaces. 2. Double-click the interface. The Interface Properties dialog box opens. 3. Click the Advanced button. The Advanced Interface Properties dialog opens. 4. Select Override MAC address and type the address. 5. Save your settings. The interface now uses the newly configured MAC address. 55

    56 Changing MAC addresses of network interfaces Figure 1 Ethernet Interface Properties dialog 56

    57 Configuring Kerio VPN server VPN overview Kerio Control supports VPN (Virtual Private Network). Kerio Control includes a proprietary implementation of VPN, called Kerio VPN. Kerio VPN can be used for: Kerio VPN server for connecting clients (desktops, notebooks, mobile devices etc.) Kerio VPN tunnel for connecting LANs This article describes using Kerio VPN server. Configuring Kerio VPN Server Firstly you must enable communication through VPN in Traffic Rules. Then: 1. In the administration interface, go to Interfaces. 2. Double-click on VPN Server. 3. In the VPN Server Properties dialog, check Enable Kerio VPN Server. 4. On tab Kerio VPN, select a kerio vpn client error 161 certificate. 5. The port 4090 (both TCP and UDP protocols are used) is set as default. Do not switch to another port without a proper reason. If it is not possible to run the VPN server at the specified port (the port is used by another service), the error will be reported in the Error log. 6. To specify a VPN route manually, read section Configuring routing. 7. Save the settings. Configuring routing By default, routes to all local subnets at the VPN server s side are defined. Other networks to which a VPN route will be set for the client can be specified: 1. In the administration interface, go to Interfaces. 2. Double-click the VPN Server. 57

    58 Configuring Kerio VPN server 3. On tab Kerio VPN, click Custom Routes. 4. Click Add. 5. In the Add Route dialog, define a network, mask and description. In case of any collisions, custom routes are used instead. 6. Save the settings. TIP Use the network mask to define a route to a certain host. This can be helpful for example when a route to a host in the demilitarized zone at the VPN server s side is being added. Configuring Kerio VPN clients The following conditions must be met to enable connection of remote clients to local networks: Kerio VPN Kerio vpn client error 161 must be installed at remote clients. In the Users and Groups Users section, check a right Users can connect using VPN for your users, kerio vpn client error 161. Connection to the VPN server from the Internet as well as communication between VPN clients must be allowed by traffic rules. There is a default traffic policy rule which should be enabled. Otherwise there is a ddefined service for Kerio VPN (TCP/UDP 4090) in case you do not have this rule. Hint: VPN clients correctly connected to the firewall can be overviewed in the administration interface, section Status VPN clients. 58

    59 Configuring Kerio VPN tunnel Kerio VPN overview Kerio Control supports VPN (Virtual Private Network). Kerio Control includes a proprietary implementation of VPN, called Kerio VPN. Kerio VPN can be used for: Kerio VPN tunnel for connecting LANs Kerio VPN server for connecting clients (desktops, notebooks, mobile devices etc.) This article describes using Kerio VPN tunnel. Prerequisities Enable VPN tunnel in Traffic Rules Set the DNS settings for using the DNS names in the remote network DNS must be set properly at both endpoints. One method is to add DNS records of the hosts (to the hosts file) at each endpoint. If the DNS module in Kerio Control is used as the DNS server at both ends of the tunnel, DNS queries can be forwarded to hostnames in the corresponding domain of the DNS module at the other end of the tunnel. DNS domain (or subdomain) must be used at both sides of the tunnel. Configuring Kerio VPN tunnel 1. In the administration interface, go to Interfaces. 2. Click Add VPN Tunnel. 3. Type a name of the new tunnel. Each VPN tunnel must have a unique name. This name will be used in the table of interfaces, in traffic rules and interface statistics. 4. Set the tunnel as: active (and type the hostname of the remote endpoint) or passive. active type the remote VPN server. If the remote VPN server does not use the port 4090, a corresponding port number must be specified (e.g. server.company.com:4100). passive the passive mode is only useful when the local end of the tunnel has a fixed IP address and when it is allowed to accept incoming connections. 59

    60 Configuring Kerio VPN tunnel 5. Select Type: Kerio VPN. 6. On tab Authentication, specify the fingerprint for the remote VPN server certificate and vice versa specify the fingerprint of the local server in the configuration at the remote server. If the local endpoint is in the active mode, the certificate of the remote endpoint and its fingerprint can be downloaded by clicking Detect remote certificate. 7. Save the settings. Configuring routing By default, kerio vpn client error 161, routes to all local subnets at the VPN server s side are defined. Other networks to which a VPN route will be set for the client can be specified: 1. In the administration interface, go to Interfaces. 2. Double-click the VPN tunnel. 3. On tab Routing check Use custom routes. In this case is also enabled Use routes provided automatically by the remote endpoint. In case of any collisions, custom routes are used instead. This option easily solves the problem where a remote endpoint provides one or more invalid route(s). 4. Click Add. 5. In the Add Route dialog, kerio vpn client error 161, define a network, mask and description. 6. Save the settings. Configuring VPN failover New in Kerio Control 8.1! If Kerio Control is load balancing between multiple Internet links, it is possible to use VPN failover. This will ensure that a VPN tunnel is re-established automatically in case the primary link used for VPN tunnelling becomes unavailable. To configure failover, input all remote endpoints (by hostname kerio vpn client error 161 IP address), separated by semicolons, into the VPN tunnel properties. 60

    61 13.5 Configuring VPN failover When attempting to establish the tunnel, Kerio Control will cycle through the list of the endpoints in the same order that they are listed in the VPN Tunnel Properties. 61

    62 Example of Kerio VPN configuration: company with a filial office Overview This article provides an exemplary description on how to create an encrypted tunnel connecting two private networks using the Kerio VPN. This example can be customized. The method described can be used in cases where no redundant routes arise by creating VPN tunnels (i.e. multiple routes between individual private networks). Specification Supposing a company has its headquarters in New York and a branch office in London. We intend to interconnect local networks of the headquarters by a VPN tunnel using the Kerio VPN. VPN clients will be allowed to connect to the headquarters network. The server (default gateway) of the headquarters uses the public IP address (DNS name is newyork.company.com), the server of the branch office uses adynamic IP address assigned by DHCP. The local network of the headquarters consists of two subnets, LAN 1 and LAN 2. headquarters uses the company.com DNS domain, kerio vpn client error 161. The The network of the branch office consists of one subnet only (LAN). The branch office filial.company.com. Figure 1 provides a scheme of the entire system, including IP addresses and the VPN tunnels that will be built. Suppose that both networks are already deployed and set according to the figure and that the Internet connection is available. Traffic between the network of the headquarters, the network of the branch office and VPN clients will be restricted according to the following rules: 1. VPN clients can connect to the LAN 1 and to the network of the branch office. 2. Connection to VPN clients is disabled for all networks. 3. Only the LAN 1 network is available from the branch office. In addition to this, only the WWW, FTP and Microsoft SQL services are available. 62

    63 14.1 Overview 4. No restrictions are applied for connections from the headquarters to the branch office network. 5. LAN 2 is not available to the branch office network nor to VPN clients. Figure 1 Example interconnection of the headquarter and a filial office by VPN tunnel (connection of VPN clients is possible) Common method The following actions must be taken in both local networks (i.e. in the main office and the filial): 1. Kerio Control must be installed on the default gateway of the network. For every installation of Kerio Control, a stand-alone license for the corresponding number of users is required! 2. Configure and test connection of the local network to the Internet. Hosts in the local network must use the Kerio Control host s IP address as the default gateway and as kerio vpn client error 161 primary DNS server. 3. In configuration of the DNS module set DNS forwarding rules for the domain in the remote network. This enables to access hosts in the remote network by using their DNS names (otherwise, it is necessary to specify remote hosts by IP addresses). For proper functionality of DNS, the DNS database must include records for hosts in a corresponding local network. To achieve this, save DNS names and IP addresses of local hosts into the hosts table (if they use IP addresses) or enable cooperation of the DNS 63

    64 Example of Kerio VPN configuration: company with a filial office module with the DHCP server (in case that IP addresses are assigned dynamically to these hosts). 4. In the Interfaces section, allow the VPN server. 5. Check whether the automatically selected VPN subnet does not collide with any local subnet either in the headquarters or in the filial and select another free subnet if necessary. 6. Define the VPN tunnel to the remote network. The passive endpoint of the tunnel must be created at a server with fixed public IP address (i.e. at the headquarter s server). Only active endpoints of VPN tunnels can be created at servers with dynamic IP address. If the remote endpoint of the tunnel has already been defined, check whether the tunnel was created. If not, refer to the Error log, check fingerprints of the certificates and also availability of the remote server. 7. In traffic rules, allow traffic between the local network, remote network and VPN clients and set desirable access restrictions. In this network configuration, all desirable restrictions can be set at the headquarter s server. Therefore, only traffic between the local network and the VPN tunnel will be enabled at the filial s server. 8. Test reachability of remote hosts from each local network. To perform the test, use the ping and tracert (traceroute) system commands. Test availability of remote hosts both through IP addresses and DNS names. If a remote host is tested through IP address and it does not respond, check configuration of the traffic rules or/and find out whether the subnets do not collide (i.e. whether the same subnet is not used at both ends kerio vpn client error 161 the tunnel). If an IP address is tested successfully and an error is reported (Unknown host) when a corresponding DNS name is tested, then check json decode error missing in parenthetical of the DNS. The following sections provide detailed description of the Kerio VPN configuration both for the headquarter and the filial offices. Headquarters configuration 1. On the default gateway of the headquarters (referred as server in further text ) install Kerio Control. 2, kerio vpn client error 161. Perform basic configuration of Kerio Control by using the connectivity wizard and the traffic policy wizard. In the traffic policy wizard, allow access to the Kerio VPN server service. This step will create rules for connection of the VPN server as well as for communication of VPN clients with the local network kerio vpn client error 161 the firewall). 64

    65 14.1 Overview Figure 2 Headquarter default traffic rules for Kerio VPN 3. Customize DNS configuration as follows: In the Kerio Control s DNS module configuration, enable DNS forwarder (forwarding of DNS requests to other servers). Enable the Use custom forwarding option and define rules for names in the filial.company.com domain. Specify the server for DNS forwarding by the IP address of the internal interface of the Kerio Control host (i.e. interface connected to the local network at the other end of the tunnel). Kerio vpn client error 161 3 Headquarter DNS forwarding settings No DNS server will be set on interfaces of the Kerio Control host connected to the local networks LAN 1 and LAN 2. On other computers set an IP address as the primary DNS server. This address must match the corresponding default gateway ( or ). Hosts in the local network can be configured automatically by DHCP protocol. For proper functionality of DNS, the DNS database must include records for hosts in a corresponding local network. To achieve this, save DNS names and IP addresses of local hosts into the hosts table (if they use IP addresses) or enable cooperation of the DNS module with the DHCP server (in case that IP addresses are assigned dynamically to these hosts). 4. Enable the VPN server and configure its SSL certificate kerio vpn client error 161 a self-signed certificate if no certificate provided by a certification authority is available). 65

    66 Example of Kerio VPN configuration: company with a filial office free subnet. The VPN network and Mask entries now include an automatically selected 5. Create a passive end of the VPN tunnel (the server of the branch office uses a dynamic IP address). Specify the remote endpoint s fingerprint by the fingerprint of the certificate of the branch office VPN server. Figure 4 Error log nginx definition of VPN tunnel for a filial office 6. Customize traffic rules according to the restriction requirements. In the Local Traffic rule, remove all items except those belonging to the local network of the company headquarters, i.e. except the firewall and the group of interfaces Trusted/ Local interfaces. Define (add) the VPN clients rule which will allow VPN clients to connect kerio vpn client error 161 LAN 1 and to the network of the branch office (via the VPN tunnel). Create the Branch office rule which will allow connections to services in LAN 1. Add the Company headquarters rule allowing connections from the local network to the branch office network. 66

    67 14.1 Overview Figure 5 Headquarter final traffic rules Rules defined this way meet all the restriction requirements. Traffic which will not match any of these rules will be blocked by the default rule. VPN test Configuration of the VPN tunnel has been completed by now. At this point, it is recommended to test availability of the remote hosts from each end of the tunnel (from both local networks). For example, the ping or/and tracert (traceroute) operating system commands can be used for this testing. It is recommended to test availability of remote hosts both through IP addresses and DNS names. If a remote host is tested through IP address and it does not respond, check configuration of the traffic rules or/and find out whether the subnets do not collide (i.e. whether the same subnet is not used at both ends of the tunnel). If an IP address is tested successfully and an error is reported (Unknown host) when a corresponding DNS name is tested, then check configuration of the DNS. 67

    68 Example of Kerio VPN configuration: company with two filial offices Overview This article provides a complex VPN scenario where redundant routes arise between interconnected private networks (i.e. multiple routes exist between two networks that can be used for transfer of packets). The only difference of Kerio VPN configuration between this type and VPN with no redundant routes is setting of routing between endpoints of individual tunnels. In such a case, it is necessary to set routing between individual endpoints of VPN tunnels by hand. Automatic route exchange is inconvenient since Kerio VPN uses no routing protocol and the route exchange is based on comparison of routing tables at individual endpoints of the VPN tunnel. For better reference, the configuration is here described by an example of a company with a headquarters and two filial offices with their local private network interconnected by VPN tunnels. Specification The network follows the pattern shown in figure 1. Figure 1 Example of a VPN configuration a company with two filials 68

    69 15.1 Overview The server (default gateway) uses the fixed IP address (DNS name is gw-newyork.company.com). The server of one filial uses the IP address (DNS name gw-london.company.com), the other filial s server uses kerio vpn client error 161 dynamic IP address assigned by the ISP. The headquarters uses the DNS domain company.com, filials use subdomains santaclara.company.com and newyork.company.com. Common method The following actions must be taken in all local networks: 1. Kerio Control must be installed on the default gateway of the network. For every installation of Kerio Control, a stand-alone license for the corresponding number of users is required. 2. Configure and test connection of the local network to the Internet. Hosts in the local network must use the Kerio Control host s IP address as the default gateway and as the primary DNS server. 3. In configuration of the DNS module, set DNS forwarding rules for domains of kerio vpn client error 161 other filials. This enables to access hosts in the remote networks by using their DNS names (otherwise, it is necessary to specify remote hosts by IP addresses). For proper functionality of the DNS, at least one DNS server must be specified to which DNS queries for other domains (typically the DNS server of the ISP). The DNS database must include records of hosts in the corresponding local network. To achieve this, save DNS names and IP addresses of local hosts into the hosts table (if they use IP addresses) and/or enable cooperation of the DNS module with the DHCP server (in case that IP addresses are assigned dynamically to these hosts). 4. In the Interfaces section, allow the VPN server. Check whether the automatically selected VPN subnet does not collide with any local subnet in any filial and select another free subnet if necessary. Reserve three free subnets in advance that can later be assigned to individual VPN servers. 5. Define the VPN kerio vpn client error 161 to one of the remote networks. The kerio vpn client error 161 endpoint of the tunnel must be created at a server with fixed public IP address. Only active endpoints of VPN tunnels can be created at servers with dynamic IP address. 69

    70 Example of Kerio VPN configuration: company with two filial offices Set routing (define custom routes) for the tunnel. Select the Use custom routes only option and specify all subnets of the remote network in the custom routes list. If the remote endpoint of the tunnel has already been defined, check whether the tunnel was created. If not, refer to the Error log, check fingerprints of the certificates and also availability of the remote server. 6. Follow the same method to define a tunnel and set routing to the other remote network. 7. Allow traffic between the local and the remote networks. To allow any traffic, just add the created VPN tunnels to the Source and Destination kerio vpn client error 161 in the Local traffic rule. 8. Test reachability of remote hosts in both remote networks. To perform the test, use the ping and tracert (traceroute) system commands. Test availability of remote hosts both through IP addresses and DNS names. If a remote host is tested through IP address and it does not respond, check configuration of the traffic rules or/and find out whether the subnets do not collide (i.e. whether the same subnet is not used at both ends of the tunnel). If an IP address is tested successfully and an error is reported (Unknown host) when a corresponding DNS name is tested, then check configuration of the DNS. The following sections provide detailed description of the Kerio VPN configuration both for the headquarter and the filial offices. Headquarters configuration 1, kerio vpn client error 161. Kerio Control must be installed on the default gateway of the headquarter s network. 2. In Kerio Control set basic traffic rules by using the connectivity wizard and the traffic policy wizard. In the traffic policy wizard, allow access to the Kerio VPN server service. This step will create rules for connection of the VPN server as well as for communication of VPN clients with the local network (through the firewall). Figure 2 Headquarter default traffic rules for Kerio VPN 70

    71 15.1 Overview 3. Customize DNS configuration as follows: In the Kerio Control s DNS module configuration, enable DNS forwarder kerio vpn client error 161 of DNS requests kerio vpn client error 161 other servers). Enable the Use custom forwarding option and define rules for names in the filial1.company.com and filial2.company.com domains. To specify the forwarding DNS server, always use the IP address of the Kerio Control host s inbound interface connected to the local network at the remote side of the tunnel. Figure 3 Headquarter DNS forwarding settings No DNS server will be set on interfaces of the Kerio Control kerio vpn client error 161 connected to the local networks LAN 1 and LAN 2. On other computers set an IP address as the primary DNS server. This address must match the corresponding default gateway ( or ). Hosts in the local network can be configured automatically by Kerio vpn client error 161 protocol. 4. Enable the VPN server and configure its SSL certificate (create a self-signed certificate if no certificate provided by a certification authority is available). The VPN network and Mask entries now include an automatically selected free subnet. Check whether this subnet does not collide with any other subnet in the headquarters or in the filials. If it does, specify a free subnet. 5. Create a passive endpoint of the VPN tunnel connected to the London filial. Use the fingerprint of the VPN server of the London filial office as a specification of the fingerprint of the remote SSL certificate. 71

    72 Example of Kerio VPN configuration: company with two filial offices On the Advanced tab, select the Use custom routes only option and set routes to the subnets at the remote endpoint of the tunnel (i.e. in the London filial). Figure 4 The headquarters routing configuration for the tunnel connected to the London filial In case that the VPN configuration described here is applied (see figure 1), it is unrecommended to use automatically provided routes! In case of an automatic exchange of routes, the routing within the VPN is not be ideal (for example, any traffic between the headquarters and the Paris filial office is routed via the London filial whereas the tunnel between the headquarters and the Paris office stays waste. 6. Use e jay win aspi error same method to create a passive endpoint for the tunnel connected to the Paris filial. On the Advanced tab, select the Use custom routes only option and set routes to the subnets at the remote endpoint of the tunnel (i.e. in the Paris filial). Figure 5 The headquarters routing configuration for the tunnel connected to the Paris filial Configuration of the London filial 1, kerio vpn client error 161. Kerio Control must be installed on the default gateway of the filial s network. 2. In Kerio Control set basic traffic rules by using the connectivity wizard and the traffic policy wizard. In the traffic policy wizard, allow access to the Kerio VPN server service. This step will create rules for connection of the VPN server as well as for communication of VPN clients with the local network (through the firewall). 72

    73 15.1 Overview Figure 6 The London filial office default traffic rules for Kerio VPN 3. Customize DNS configuration as follows: In the Kerio Control s DNS module configuration, enable DNS forwarder (forwarding of DNS requests to other servers). Enable the Use custom forwarding option and define rules for names in the company.com and filial2.company.com domains. To specify the forwarding DNS server, always use the IP address of the Kerio Control host s inbound interface connected to the local network at the remote side of the tunnel. Figure 7 The London filial office DNS forwarding settings No DNS server will be set on interfaces of the Kerio Control host connected to the local networks LAN 1 and LAN 2. On other computers set an IP address as the primary DNS server. This address must match kerio vpn client error 161 corresponding default gateway ( or ). Hosts in the local network can be configured automatically by DHCP protocol. 4. Enable the VPN server and configure its SSL certificate (create a self-signed certificate if no certificate provided by a kerio vpn client error 161 authority is available). The VPN network and Mask entries now include an automatically selected free subnet. Check whether this subnet does not collide with any other subnet in the headquarters or in the filials. If it does, specify a free subnet. 73

    74 Example of Kerio VPN configuration: company with two filial offices 5. Create an active endpoint of the VPN tunnel which will connect to the headquarters server (newyork.company.com). Use the fingerprint of the VPN server of the headquarters as a specification of the fingerprint of the remote SSL certificate. Figure 8 The London filial office definition of VPN tunnel for the headquarters On the Advanced tab, select the Use custom routes only option and set routes to London s local networks. Figure 9 The London filial routing configuration for the tunnel connected to the headquarters At this point, connection should be established (i.e. the tunnel should be created). If connected successfully, the Connected status will be reported in the Adapter info column for both ends of the tunnel. If the connection cannot be established, we recommend you to check the configuration of the traffic rules and test availability of the remote server in our example, the following command can be used at the London branch office server: ping gw-newyork.company.com 74

    75 15.1 Overview 6. Create a visual basic run time error 13 endpoint of the VPN tunnel connected to the Paris filial. Use the fingerprint of the VPN server of the Paris filial office as a specification of the fingerprint of the remote SSL certificate, kerio vpn client error 161. On the Advanced tab, select the Use custom routes only option and set routes to Paris local networks. Figure 10 The London filial routing configuration for the tunnel connected to the Paris branch office Configuration of the Paris filial 1. Kerio Control must be installed on the default gateway of the filial s network. 2. In Kerio Control set basic traffic rules by using the connectivity wizard and the traffic policy wizard. In this case there is no reason to enable the Kerio VPN server service (the server uses dynamic public IP address). 3. Customize DNS configuration as follows: In the Kerio Control s DNS module configuration, enable DNS forwarder (forwarding of DNS requests to other servers). Enable the Use custom forwarding option and define rules for names in the company.com and filial1.company.com domains. Specify the server for DNS forwarding by the IP address of the internal interface of the Kerio Control host (i.e. interface connected to the local network at the other end of the tunnel). Figure 11 The Paris filial office DNS forwarding settings 75

    76 Example of Kerio VPN configuration: company with two filial offices No DNS server will be set on the interface of the Kerio Control host connected to the local network. Set the IP address as aprimary DNS server also for the other hosts. 4. Enable the VPN server and configure its SSL certificate (create a self-signed certificate if no certificate provided by a certification authority is available). The VPN network and Mask entries now include an automatically selected free subnet. Check whether this subnet does not collide with any other subnet in the headquarters or in the filials. If it does, specify a free subnet. 5. Create an active endpoint of the VPN tunnel which will connect to the headquarters server (newyork.company.com). Use the fingerprint of the VPN server of the headquarters as a specification of the fingerprint of the remote SSL certificate. On the Advanced tab, select the Use custom routes only option and set routes to London s local networks. Figure 12 The Paris filial routing configuration for the tunnel connected to the headquarters At this point, connection should be established (i.e. the tunnel should be created). If connected successfully, the Connected status will be reported in the Adapter info column for both ends of the tunnel. If the connection cannot be established, we recommend you to check the configuration of the traffic rules and test availability of the remote server in our example, the following command can be used at the Paris branch office server: ping gw-newyork.company.com 6. Create an active endpoint of the tunnel connected to London (server gw-london.company.com), kerio vpn client error 161. Use the fingerprint of the VPN server of the London filial office as a specification of the fingerprint of the remote SSL certificate. On the Advanced tab, select the Use custom routes only option and set routes to London s local networks. 76

    77 15.1 Overview Figure 13 The Paris filial routing configuration for the tunnel connected to the London branch office Like in the previous step, check whether the tunnel has been established successfully, and check reachability of remote private networks (i.e. of local networks in the London filial). 7. The All VPN Clients group from the Local Traffic rule (no VPN clients will connect to this branch office network). Figure 14 The Paris filial office final traffic rules VPN test The VPN configuration has been completed by now. At this point, it is recommended to test reachability of the remote hosts in the other remote networks (at remote endpoints of individual tunnels). For kerio vpn client error 161, the ping or/and tracert (traceroute) operating system commands can be used for this testing. 77

    78 Configuring IPsec VPN IPsec overview Kerio Control supports IPsec. IPsec (IP security) is a security extension for Internet Protocol (read more in Wikipedia). Kerio Control uses IPsec for VPN implementation. IPsec can be used for: IPsec VPN server for connecting clients (desktops, notebooks, mobile devices kerio vpn client error 161 IPsec VPN tunnel for connecting LANs This article describes using IPsec VPN server and configuring clients. For securing the communication you can use: a preshared key (PSK, shared secret) a SSL certificate both methods in Kerio Control (client application must use only one method). Each user must provide their credentials for authentication. Configuring IPsec VPN server with a preshared key The preshared key is a shared password for all users using an IPsec VPN. 1. In the administration interface, go to Interfaces. 2. Double-click on VPN Server. 3. In the VPN Server Properties dialog (see screenshot 1), check Enable IPsec VPN Server. 78

    79 16.3 Configuring IPsec server with a SSL certificate Figure 1 VPN Server Properties Kerio Control is able to provide the Kerio VPN server and IPsec VPN server simultaneously. 4. On tab IPsec VPN, select a valid SSL certificate in the Certificate pop-up list. 5. Check Use preshared key and type the key. 6. Save the settings. Configuring IPsec server with a SSL certificate 1. In the administration interface, go to Interfaces. 2. Double-click on VPN Server. 3. In the VPN Server Properties dialog, check Enable IPsec VPN Server. 79

    80 Configuring IPsec VPN 4. On tab IPsec VPN, select a valid SSL certificate in the Certificate pop-up list. 5. On tab IPsec VPN, check Use certificate for clients. 6. Save the settings. Configuring clients with a preshared key Tell your users what to prepare for the configuration of their clients: VPN type: L2TP IPsec PSK Kerio Control hostname or IP address preshared key (PSK, shared secret) username and password for access to firewall Supported mobile devices Many mobile devices support IPsec VPN and may work with Kerio Control. However, Kerio Control officially supports the following list: Android 4 and higher ios 6 and higher Figure 2 Examples of Apple iphone and Android settings 80

    81 Supported mobile devices

    82 Configuring IPsec VPN tunnel IPsec overview Kerio Control supports IPsec. IPsec (IP security) is a security extension for Internet Protocol (read more in Wikipedia). Kerio Control uses IPsec for VPN implementation. IPsec kerio vpn client error 161 be used for: IPsec VPN server for connecting clients (desktops, notebooks, mobile devices etc.) IPsec VPN tunnel for connecting LANs This article describes using IPsec VPN tunnel. If you can connect two or more Kerio Controls via VPN tunnel, use Kerio VPN. Kerio VPN tunnel is able to seek routes in remote networks. Before you start Prepare the following list: enable the VPN Services pre-configured rule on both tunnel endpoints ID of the remote endpoint (in the most of servers it is called Local ID) you must prepare a list of all routes behind the remote endpoint if you want to use a SSL certificate, prepare the SSL certificate of the remote endpoint, or an authority + ID of the remote SSL certificate, kerio vpn client error 161. You must import the certificate or the authority to Kerio Control. Configuring IPsec VPN tunnel with a preshared key authentication 1. In the administration interface, go to Interfaces. 2. Click Add VPN Tunnel. 3. Type a name of the new tunnel. 82

    83 17.4 Configuring IPsec VPN tunnel with a SSL certificate authentication 4. Set the tunnel as active (and type the hostname of the remote endpoint) or kerio vpn client error 161. One Kerio Control must be set as active and the other as passive. The active endpoint establishes and maintains a connection to the passive endpoint. 5. Select Type: IPsec. 6. Select Preshared key and type the key. 7. Copy the value of the Local ID field from Kerio Control to the Remote ID of the remote endpoint and vice versa. Predefined Local ID is the hostname of Kerio Control. If you change the Kerio Control hostname, Local ID will be changed too. 8. On tab Routing, you must define all remote networks including subnet for VPN clients. IPsec VPN is not able to seek remote networks. You must enter them manually. 9. Save the settings. IKE ciphers displayed in the VPN Server Properties dialog are recommended. However, Kerio Control is able to work with ciphers described in this article. Configuring IPsec VPN tunnel with a SSL certificate authentication You have two choices: The SSL certificate of the remote endpoint is imported in the Kerio Control (Definitions SSL Certificates). The authority that signed the remote certificate is imported in the Kerio Control (Definitions SSL Certificates). You also need to know the Local ID (Distinguished name) of the remote certificate. When the SSL certificate/authority is imported, follow these instructions: 1, kerio vpn client error 161. In the administration interface, go to Interfaces. 2. Click Add VPN Tunnel. kerio vpn client error 161. Type a name of the new tunnel. 4. Set the tunnel as active (and type the hostname of the remote endpoint) or passive. One endpoint must be set as active and the other as passive. establishes and maintains a connection to the passive endpoint. The active endpoint 83

    84 Configuring IPsec VPN tunnel 5. Select Type: IPsec. 6. Select Remote certificate: Not in local store only an authority was imported to Kerio Control. Copy the remote SSL certificate ID to the Remote ID field and vice versa: import the Kerio Control authority to the remote endpoint and copy the Local ID somewhere in the remote endpoint. Select the remote SSL certificate Export the certificate from Kerio Control and import it to the remote endpoint. 7. On tab Remote Networks, you must define all remote networks including subnet for VPN clients. IPsec VPN is not able to seek remote routes. You must enter them manually. 8. Save the settings. IKE ciphers displayed in the VPN Server Properties dialog are recommended. However, Kerio Control is able to work with ciphers described in this article. Configuring VPN failover New in Kerio Control 8.1! If Kerio Control is load balancing between multiple Internet links, it is possible to use VPN failover. This will ensure that a VPN tunnel is re-established automatically in case the primary link used for VPN tunnelling becomes unavailable. To configure failover, input all remote endpoints (by hostname or IP address), kerio vpn client error 161, separated by semicolons, into the VPN tunnel properties. When attempting to establish the tunnel, Kerio Control will cycle through the list of the endpoints in the same order that they are listed in the VPN Tunnel Properties. 84

    85 Deh-p5800mp error 11 VPN failover

    86 Configuring IPsec VPN tunnel (Kerio Control and another device) IPsec tunnel overview You can create a secure tunnel between two LANs secured by a firewall. This article describes creating a IPsec VPN tunnel between Kerio Control and another device. Before you start, read article: Configuring IPsec VPN tunnel which describes Kerio Control settings. Default values in Kerio Control This section includes default and supported values for IPsec implemented in Kerio Control. Both endpoints should be able to communicate automatically. If a problem occurs and you have to set the values manually, consult the following tables for default and supported values in Kerio Control. The default values are used by Kerio Control. Remote endpoints of the tunnel can also use the supported values. Default values (in bold), supported values Unsupported values mode main aggressive remote ID type NAT traversal hostname, IP address enabled ciphersuite (policies) aes128-sha1-modp2048, 3des-sha1-modp1536, see the list of Supported ciphers version IKEv1 IKEv2 DPD timeouts lifetime enabled (150 sec) 3 hours Table 1 Phase 1 (IKE) 86

    87 18.3 Supported ciphers Default values (in bold), supported values Unsupported values mode tunnel transport protocol ESP AH ciphersuite (policies) aes128-sha1,3des-sha1, see the list of Supported ciphers PFS lifetime off 60 mins Table 2 Phase 2 (ESP) Supported ciphers Each cipher consists of three parts: Encryption Algorithm aes128 Integrity Algorithm sha1 Diffie Hellman Groups modp2048 Kerio Control supports the following ciphers: Encryption Algorithms Integrity Algorithms Diffie Hellman Groups aes128 or aes (128 bit AES-CBC) md5 (MD5 HMAC) 2 (modp1024) aes192 (192 bit AES-CBC) sha1 or sha (SHA1 HMAC) 5 (modp1536) aes256 (256 bit AES-CBC) 3des (168 bit 3DES-EDE-CBC) sha2_256 or sha256 (SHA2_256_128 HMAC) sha2_384 or sha384 (SHA2_384_192 HMAC) sha2_512 or sha512 (SHA2_512_256 HMAC) 14 (modp2048) 15 (modp3072) 16 (modp4096) 18 (modp8192) 22 (modp1024s160) 23 kerio vpn client error 161 24 (modp2048s256) Table 3 Phase 1 (IKE) - supported ciphers 87

    88 Configuring IPsec VPN tunnel (Kerio Control and another device) Encryption Algorithms Integrity Algorithms Diffie Hellman Groups aes128 or aes (128 bit AES-CBC) md5 (MD5 HMAC) none (no PFS) kerio vpn client error 161 (192 bit AES-CBC) aes256 (256 bit AES-CBC) sha1 or sha (SHA1 HMAC) aesxcbc (AES XCBC) 3des (168 bit 3DES-EDE-CBC) blowfish256 (256 bit Blowfish-CBC) Table 4 Phase 2 (ESP) - supported ciphers 88

    89 Configuring traffic rules How traffic rules work In Kerio Control traffic rules supports IPv6! Watch the Configuring traffic rules video. The traffic policy consists of rules ordered by their priority. The rules are processed from the top downwards and the first matched rule is applied. The order of the rules can be changed with the two arrow buttons on the right side of the window, or by dragging the rules within the list. An implicit rule denying all traffic is shown at the end of the list. This rule cannot be removed. If there is no rule to allow particular network traffic, then the implicit rule will discard the packet. To control user connections to WWW or FTP servers and filter contents, use the content filter available in Kerio Control for these purposes rather than traffic rules. Read more in the Configuring the Content Filter article. Configuring traffic rules If you do not have any traffic rules created in Kerio Control, use the configuration wizard (go to Traffic Rules and click More Actions Configure in Wizard). To create your own rules, look at the following examples: 89

    90 Configuring traffic rules Figure 1 Basic traffic rules configured by Wizard Port mapping To enable all services for Kerio Connect placed in your local network protected by Kerio Control, follow these step: 1. In the administration interface, go to Traffic Rules. 2. Click Add. 3. In the Add New Rule wizard, type a name of the rule. 4. Select Port mapping. 5. In the Host field, type the hostname or IP address of the SMTP server placed in your local network. 6. Next to the Service field, click Select. 7. In the Select Items dialog, check the Kerio Connect services group (see figure 2). 8. Click Finish. 9. Move the rule to the top of the table of traffic rules. 90

    91 19.3 User accounts and groups in traffic rules Figure 2 Adding a service group Other examples Network address translation Multihoming Limiting Internet Access Exclusions User accounts and groups in traffic rules In traffic rules, source/destination can be specified also by user accounts and/or user groups. In the traffic policy, each user account represents the IP address of the host from which a user is connected. This means that the rule is applied to users authenticated at the firewall only (when the user logs out, the rule is not effective any longer): 91

    92 Configuring traffic rules Enabling certain users to access the Internet In a private network and with the Internet connection performed through NAT, you can specify which users can access the Internet in the Source item in the NAT rule. Figure 3 This traffic rule allows only selected users to connect to the Internet Such rules enable the specified users to connect to the Internet if they authenticate. They need to open the Kerio Control interface s login page manually and authenticate. With the rule defined, all methods of automatic authentication are ineffective (i.e. redirecting to the login page, NTLM authentication and automatic authentication from defined hosts). Automatic authentication (redirection to the login page) is kerio vpn client error 161 when the connection to the Internet is established. This NAT rule blocks any connection unless the user is authenticated. Enabling automatic authentication The automatic user authentication issue can be solved as follows: 1. Add a rule allowing an unlimited access to the Kerio vpn client error 161 service and place it before the NAT rule. Figure 4 These traffic rules enable automatic redirection to the login page 92

    93 19.4 Demilitarized zone (DMZ) 2. In Content Rules, allow specific users to access any web site and deny any access to other users. Figure 5 These URL rules enable specified users to access any Web site Users who are not yet authenticated and attempt to open a web site are automatically redirected to the authentication page (or authenticated by NTLM, or logged in from the corresponding host). After a successful authentication, users specified in the NAT rule (see figure 4) will be allowed to access other Internet services. Users not specified in the rules will be disallowed to access any web site or/and other Internet services. In this example, it is assumed that client hosts use kerio vpn client error 161 Kerio Control DNS Forwarder or local DNS server (traffic must be allowed for the DNS server). If the client stations use a DNS server in the Internet, you must include the DNS service in the rule which allows unlimited Internet access. Demilitarized zone (DMZ) This topic is kerio vpn client error 161 in a special article: Configuring demilitarized zone (DMZ). Policy routing This topic is covered in a special article: Configuring policy routing. 93

    94 Configuring IP address translation IP address translation (NAT) overview Network Address Translation (NAT) is a term used for the exchange of a private IP address in a packet going out from the local network to the Internet with the IP address of the Internet interface of the Kerio Control host. This technology is used to connect local private networks to the Internet by a single public IP address. Configuring IP address translation 1. In the administraton interface, go to Traffic Rules. IP address translation must be configured for the particular rules. 2. Double-click Translation in the selected rule. 3. In the Traffic Rule - Translation dialog, you can configure the following: Source IP address translation (NAT Internet connection sharing) Source address translation is used in traffic rules applied to traffic from the local private network to the Internet. In other rules (traffic between the local network and the firewall, between the firewall kerio vpn client error 161 the Internet, etc.), NAT is unnecessary. For source address kerio vpn client error 161, check Enable source NAT and select: Default setting (recommended) By default, in packets sent from the LAN to the Internet the source IP address will be replaced by IP address of the Internet interface of the firewall through which the packet is sent. This IP address translation method is useful in the general rule for access from the LAN to the Internet, because it works correctly in any Internet connection configuration and for any status of individual links. For a single leased link, or connection failover, the following options have no effect on Kerio Control s functionality. If Kerio Control works in the mode of network traffic load balancing, you can select: Perform load balancing error 5170 sql server host traffic from the specific host in the LAN will be routed via the same Internet link. This method is set as default, because it guarantees the same behavior as in case of clients connected directly to the Internet. However, load balancing dividing the traffic among individual links may be not optimal in this case. Perform load balancing per connection the Internet link will be selected for each connection established from the LAN to the Internet to spread the load optimally. 94

    95 20.2 Configuring IP address translation This method guarantees the most efficient use of the Internet connection s capacity. However, it might also introduce problems and collisions with certain services. The problem is that individual connections are established from various IP addresses (depending on the firewall s interface from which the packet is sent) which may be considered as an attack at the destination server. Hint For maximal efficiency of the connection s capacity, go to the Configuring policy routing article. Use specific outgoing interface Packets will be sent to the Internet via this specific link. This allows definition of rules for forwarding specific traffic through a selected Interface so called policy routing. If the selected Internet link fails, Internet will be unavailable for all services, clients, etc. specified by this rule. To prevent from such situations, check Allow using of a different interface if this one becomes unavailable. Use specific IP address An IP address for NAT will be used as the source IP address for all packets sent from the LAN to the Internet. It is necessary to use an IP address of one of the firewall s Internet interfaces. Definition of a specific IP Address cannot be used in combination with network load balancing or connection failover. Full cone NAT The typical behavior of NAT allows returning traffic only from a specific IP Address. The behavior can be adjusted to allow returning traffic from any IP Address. This is called full cone NAT. If this option is off, Kerio Control performs so called port restricted cone NAT. In outgoing packets transferred from the local network to the Internet, Kerio Control replaces the source IP address of the interface with the public address of the firewall (see above). If possible, the original source port is kept; otherwise, another free source port is assigned. For returning traffic, the firewall allows only packets arriving from the same IP address and port to which the outgoing packet was sent. This translation method guarantees high security the firewall will not let in any packet which is not kerio vpn client error 161 response to the sent request. However, many applications (especially applications working with multimedia, Voice over IP technologies, etc.) use another traffic method where other clients can (with direct connection established) connect to a port opened by an outgoing packet. Therefore, Kerio Control supports also the full cone NAT mode where the described restrictions are not applied for incoming packets. The port then lets in incoming packets with any source IP address and port. This translation method may be necessary to enable full functionality of certain applications. 95

    96 Configuring IP address translation Full cone NAT may introduce certain security threats the kerio vpn client error 161 opened by the outgoing connection can be accessed without any restrictions being applied, kerio vpn client error 161. For this reason, it is recommended to enable full cone NAT only for a specific service (i.e. to create a special rule for this purpose). Destination NAT (port mapping): Destination address translation (also called port mapping) is used to allow access to services hosted in private local networks behind the firewall. For port mapping: 1. Check Enable destination NAT. 2. In field Translate to the following host, type a host address or DNS name. IP address that will substitute the packet s destination address. This address also represents the address/name of the host on which the service is actually running. 3. If you want to change a port, check Translate port as well and type the port of a service. During the process of IP translation you can also substitute the port of the appropriate service. This means that the service can run at a port that is different from the port where it is available from the Internet. This option cannot be used if multiple services or ports are defined in the Service entry within the appropriate traffic rule. For examples of traffic rules for port mapping and their settings, refer to article Configuring traffic rules. A default NAT rule description Figure 1 A typical traffic rule for NAT (Internet connection sharing) 96

    97 20.3 A default NAT rule description Source Group Trusted/Local Interfaces (from the Interfaces section). This group includes all segments of the LAN connected directly to the firewall. If access to the Internet from some segments is supposed to be blocked, the most suitable group to file the interface into is Other interfaces. Interfaces are described in the Configuring network interfaces article. Kerio vpn client error 161 the local network consists of cascaded segments (i.e. it includes other routers), it is not necessary to customize the rule in accordance with this fact it is just necessary to set routing correctly. Destination The Internet Interfaces group. With this group, the rule is usable for any type of Kerio vpn client error 161 connection. Service This entry can be used to define global limitations for Internet access. If particular services are defined for NAT, only these services will be used for the NAT and other Internet services will not be available from the local network. Actions The Action must be set to Allow. Translation In the Source NAT section select the Default settings option (the primary IP address of main.exe - errors outgoing interface will be used for NAT). The default option will ensure that the correct IP address and Syntax error unexpected end of file are used for the intended destination. Destination NAT should not be configured for outgoing rules, except under very unique circumstances. Placing the rule The rule for destination address translation must be preceded by all rules which deny access to the Internet from the local network. Such a rule allows access to the Internet from any host in the local network, not from the firewall itself (i.e. from the Kerio Control host). Traffic between the firewall and the Internet is enabled by a special rule by default. Since the Kerio Control host can access the Internet directly, it is not necessary to use NAT. Figure 2 Rule for traffic between the firewall and hosts in the Internet 97

    98 Configuring traffic rules multihoming Multihoming overview Multihoming is a term used for situations when one network interface connected to the Internet uses multiple public IP addresses. Typically, multiple services are available through individual IP addresses (this implies that the services are mutually independent). A web server web1 with IP address and a web server web2 with IP address are running in the local network. The interface connected to the Internet uses public IP addresses and : web1 to be available from the Internet at the IP address web2 to be available from the Internet at the IP address The two following traffic rules must be defined in Kerio Control to enable this configuration: Figure 1 Multihoming web servers mapping 1. In the administration interface, kerio vpn client error 161, go to Traffic Rules. 2. Click Add. 3. In the Add New Rule dialog, type a name of the rule Web1 server mapping and click Next. 4. In the Source section, leave Any and click Next. 5. In the Destination section, click Add Host, Network, Address range. The IP address of the interface connected to the Internet must be added (our example: ). 6. Click Next. 7. In the Service section, select HTTP. 98

    99 21.1 Multihoming overview Figure 2 Add New Rule dialog 8. Click Finish. 9. In the Web1 server mapping rule, click in the column Translation. 10. In the Traffic Rule - Translation dialog, check the Enable destination NAT option and type the IP address of a corresponding Web server (web1) to the Translate to the following host field. 11. Repeat steps 1 8 for Web2 server. 99

    100 Configuring traffic rules limiting Internet access Limiting Internet Access Access to Internet services from the local network can be limited in several ways. In the following examples, the limitation rules use IP translation (see the Configuring IP address translation article). Other methods of Internet access limitations can be found in the Configuring traffic rules - exclusions article. Rules mentioned in these examples can be also used if Kerio Control is intended as a neutral router (no address translation) in the Translation entry there will be no translations defined. 1. Allow access to selected services only. In the translation rule in the Service entry, specify only those services that are intended to be allowed. Figure 1 Internet connection sharing only selected services are available 2. Limitations sorted by Kerio vpn client error 161 addresses. Access to particular services (or access to any Internet service) will be allowed only from selected hosts. In the Source entry define the group of IP addresses from which the Internet will be available. This group must be formerly defined in Definitions IP Address Groups. Figure 2 Only selected IP address group(s) is/are allowed to connect to the Internet 100

    101 22.1 Limiting Internet Access This type of rule should be used only for the hosts with static IP addresses. 3. Limitations sorted by users. Firewall monitors if the connection is from an authenticated host. In accordance with this fact, the traffic is permitted or denied. Figure 3 Only selected user group(s) is/are allowed to connect to the Internet Alternatively you can define the rule to allow only authenticated users to access specific services. Any user that has a user account in Kerio Control will be allowed to access the Internet after authenticating to the firewall. Firewall administrators can easily monitor which services and which pages are opened by each user. Figure 4 Only authenticated users are allowed to connect to the Internet Usage of user accounts and groups in traffic policy follows specific rules. 101

    102 Configuring traffic rules exclusions Configuring exclusions You may need to allow access to the Internet only for a certain user/address group, whereas all other users should not be allowed to access this service. This will be better understood through the following example (how to allow a user group to use SSH for access to servers in the Internet), kerio vpn client error 161. Use the following rule to meet these requirements: The rule will allow selected users (or a windows socket error 10060 of users/ip addresses, etc.) to access SSH servers in the Internet. The default rule (Block other traffic) blocks the other users and communication. Figure 1 Exception SSH is available only for selected user group(s) 102

    103 Troubleshooting traffic rules Overview If a particular communication is not working through Kerio Control (let s say your users cannot go to the server example.com), it is possible that your traffic rules are not working correctly. This article describes how to find packets dropped by a traffic rule and, subsequently, how to find the broken traffic rule. Seeking dropped packets 1. In the administration interface, go to Logs Debug. 2. Right-click the Debug window. 3. In the context menu, click Messages. 4. Check the Packets dropped for some reason option. 5. Find dropped packets which correspond with your unestablished communication. Example: [08/Apr/ :02:15] {pktdrop} packet dropped: 3-way handshake not completed (from Ethernet, proto:tcp, len:48, : > :443, flags:[ SYN ], seq: / ack:0, win:8192, tcplen:0) Testing traffic rules The Test Rules feature helps to find the broken traffic rule if there are too many rules in your Kerio Control. The feature shows all rules which match a particular packet description. 1. In the administration interface, go to Traffic Rules. 2. Click the Test Rules button. 3. Type the source IP address you found in the debug log (in our example it is ). 4. Type the destination IP address you found in the debug log (in our example it is ). 5. Type the destination port you found in the debug log (in our example it is 443). 103

    104 Troubleshooting traffic rules 6. Click OK. The traffic rules list displays only rules matching the packet description. You can identify the corrupt rule and fix it. Figure 1 The Test rules dialog 104

    105 Configuring Demilitarized Zone (DMZ) Demilitarized Zone (DMZ) Demilitarized zone (DMZ) is a special segment of the local network reserved for servers accessible from the Internet. It is not allowed to access the local network from this segment if a server in the DMZ is attacked, it is impossible for the attacker to reach other servers and computers located in the local network. Configuring DMZ As an example we will suppose rules for a web server located in the DMZ. The demilitarized zone is connected to the DMZ interface included in group Other Interfaces. The DMZ uses subnet x, the web server s IP address is Now you will add the following rules: Make the web server accessible from the Internet mapping HTTP service on the server in the DMZ, Allow access from the DMZ to the Internet via NAT (IP address translation) necessary for correct functionality of the mapped service, Allo access from the LAN to the DMZ this makes the web server accessible to local users, Disable access from the DMZ to the LAN protection against network intrusions from the DMZ. This is globally solved by a default rule blocking any other traffic (here we have added the blocking rule for better understanding). Figure 1 Traffic rules for the DMZ 105

    106 Configuring Demilitarized Zone (DMZ) Hint To make multiple servers accessible in kerio vpn client error 161 DMZ, it is possible to use multiple public IP addresses on the firewall s Internet interface so called multihoming. 106

    107 Configuring policy routing Policy routing overview If the LAN is connected to the Internet by multiple links with load balancing, it may be necessary to force certain types of traffic out a particular Interface. For example, sending VoIP traffic out a different Interface than your web browsing or streaming media. This approach is called policy routing. In Kerio Control, policy routing can be defined by conditions in traffic rules for Internet access with IP address translation (NAT). table. Policy routing traffic rules are of higher priority than routes defined in the routing Configuring a preferred link for traffic The firewall is connected to the Internet by two links with load balancing with speed values of 4 Mbit/s and 8 Mbit/s. One of the links is connected to the provider where the mailserver is also hosted. Therefore, all traffic (SMTP, IMAP and POP3) is routed through this link. Define traffic rules: The first rule defines that NAT is applied to services and the Internet 4 Mbit interface is used. The other rule is a general NAT rule with automatic interface selection. Figure 1 Policy routing a preferred link for traffic 107

    108 Configuring policy routing Setting of NAT in the rule for services is shown in figure 2. Allow use of a back-up link in case the preferred link fails. Otherwise, services will be unavailable when the connection fails. Figure 2 Policy routing setting NAT for a preferred link In the second rule, automatic interface selection is used. This means that the Internet 4 Mbit link is also used for network traffic load balancing. traffic is certainly still respected perl cgi 500 internal server error has higher priority on the link preferred by the first rule. This means that total load will be efficiently balanced between both links all the time. If you need to reserve a link only for a specific traffic type (i.e. route other traffic through other links), go to Interfaces and uncheck the Use for Link Load Balancing option. In this case the link will not be used for automatic load balancing. Only traffic specified in corresponding traffic rules will be routed through it. Figure 3 Interfaces Uncheck the Use for Link Load Balancing option 108

    109 26.3 Configuring an optimization of network traffic load balancing Configuring an optimization of network traffic load balancing Kerio Control provides two options of network traffic load balancing: per host (clients) per connection The best solution (more efficient use of individual links) proves to be the option of load balancing per connection. However, this mode may encounter problems with access to services where multiple connections get established at one moment (web pages and other web related services). The server can consider source addresses in individual connections as connection recovery after failure or as an attack attempt. This problem can be bridged over by policy routing. In case of problematic services (e.g. HTTP and HTTPS) the load will be balanced per host, i.e. all connections from one client will be routed through a particular Internet link so that their IP address will be identical (a single IP address will be used), kerio vpn client error 161. To any other services, load balancing per connection will be applied thus maximally efficient use of the capacity of available links will be reached. Meeting of the requirements will be guaranteed by using two NAT traffic rules: In the first rule, specify corresponding services and set the per host NAT mode. In the second rule, which will be applied for any other services, set the per connection Kerio vpn client error 161 mode. Figure 4 Policy routing load balancing optimization 109

    110 Configuring intrusion prevention system Intrusion prevention system overview Kerio Control integrates Snort, an intrusion detection and prevention system (IDS/IPS) protecting the firewall and the local network from known network intrusions. A network intrusion is network traffic that impacts the functionality or security of the victim-host. A typical attribute of intrusions is their apparent legitimacy and it is difficult to uncover such traffic and filter it simply by kerio vpn client error 161 rules. Let us use Denial of Service intrusion as an example too many connections are established on a port to use up the system resources of the server application so that no other users can connect. However, the firewall considers this act only as access to an allowed port. The intrusion prevention system works on all network interfaces included in the Internet Interfaces group. It detects and blocks network intrusions coming from the Internet, not from hosts in local networks or VPN clients. Use of NAT is required for IPv4. Intrusion detection is performed before traffic rules. Configuring intrusion prevention 1. In the administration interface, go to Intrusion Prevention. 2. Check Enable Intrusion Prevention. 3. Leave Severity levels in the default mode. Kerio Control distinguishes three levels of intrusion severity: High severity activity where the probability that it is a malicious intrusion attempt is very high (e.g. Trojan horse network activity). Medium severity activities considered as suspicious (e.g. traffic by a non-standard protocol on the standard port of another protocol). Low severity network activities which do not indicate immediate security threat (e.g. port scanning). 4. Test the intrusion prevention system by clicking the link On the Kerio website, you can test these settings. 110

    111 27.3 Configuring ignored intrusions Upon startup of the test, three fake harmless intrusions of high, middle, and low severity will be sent to the IP address of your firewall. Kerio website is accessible on IPv4 and also IPv6 address. Therefore, you can test IPS on IPv6 on Kerio website. The Security log will report when the firewall identified and possibly blocked an intrusion. Configuring ignored intrusions In some cases, legitimate traffic may be detected as an intrusion. If this happens, it is helpful to define an exception for the intrusion: 1. In the administration interface, go to the Security log. 2. Locate the log event indicating the filtered traffic. For example: "IPS: Error code 40022, severity: Medium, Rule ID: 1: ET VOIP Multiple Unauthorized SIP Responses" 3. Copy the rule ID number. 4. In the administration interface, go to Intrusion Prevention. 5. Click Advanced. 6. In the Advanced Intrusion Prevention Settings dialog, click Add. 7. Paste the rule ID number and a description. The legitimate traffic will be allowed now. Configuring protocol-specific intrusions Some intrusions may target security weaknesses in specific application protocols. Therefore, some security rules are focused on special protocols on standard and frequently used ports. If an application is available from the Internet that uses any of the listed protocols on a non-standard port (e.g. HTTP on port 10000), it can be helpful to add this port in list of ports on which protocol-specific intrusions will be detected: 1. In the administration interface, go to Intrusion Prevention. 2. Click Advanced. 3. In the Advanced Intrusion Prevention Settings dialog, find the desired service (HTTP in our example). 111

    112 Configuring intrusion prevention system 4. Double-click the selected row and type the port (10000 in our example). 5. Save the settings. The service running on the kerio vpn client error 161 port will be protected by the protocol-specific intrusions. IP blacklists overview Kerio Control is able to log and block traffic from IP addresses of known intruders (so called blacklists). Such method of detection and blocking of intruders is much faster and also less demanding than detection of individual intrusion types. However, there are also disadvantages. Blacklists cannot include IP addresses of all possible intruders. Blacklist also may include IP addresses of legitimate clients or servers. Therefore, you can set the same actions for blacklists as for detected intrusions. Automatic updates For correct functionality of the intrusion detection system, it is necessary to update databases of known intrusions and intruder IP addresses regularly. Under normal circumstances there is no reason to disable automatic updates non-updated databases decrease the effectiveness of the intrusion prevention system. Update now. Automatic updates are incremental. If you need to force a full update, click Shift + required. For database updates, a valid Kerio Control license or a registered trial version is 112

    113 Filtering MAC addresses Filtering MAC addresses overview Kerio Control allows filtering by hardware addresses (MAC addresses). Filtering by MAC addresses ensures that specific devices can be allowed or denied, regardless of their IP Address. The MAC address filter is processed independently of traffic rules. Configuring the filter 1. In the administration interface, go to Security Settings. 2. On tab MAC filter, check the network interface for where the MAC filter will be applied (usually LAN). 3. Select the right mode: Prevent listed computers from accessing the network the kerio vpn client error 161 will block only MAC addresses included on the list. This mode can be used to block known MAC addresses, but will not filter traffic of new, unknown devices. Permit only listed computers to access the network the filter allows only MAC addresses included on the list, any other address will be blocked. Check Also permit MAC addresses used in DHCP reservations or automatic user login if you use automatic user login and DHCP reservation by MAC. MAC addresses permit by automatic user login and DHCP reservations are not visible in the MAC addresses list (see below). 4. Add MAC addresses to the list. MAC addresses can be separated by: colons (e.g.: a0:de:bf:33:ce:12) dashes (e.g.: a0-de-bf-33-ce-12) without separators (a0debf33ce12) 113

    114 Filtering MAC addresses 5. Double check that listed addresses are correct. 6. Check Enable MAC filter. 7. Click Apply. Your filter is fully configured and active. 114

    115 Support for IPv6 protocol Support for IPv6 protocol Configuring IPv6 parameters on network interfaces, kerio vpn client error 161, Routing between individual interfaces, Kerio Web Filter Antivirus on HTTP connections Content filter on HTTP connections Stateless address autoconfiguration of hosts and devices in the LAN (SLAAC), Basic kerio vpn client error 161 with configuration options (IPv6 filtering), Bandwidth management (without the option to define custom rules and bandwidth reservation), Overview of active connections, Volumes of data transferred on individual network interfaces, Monitoring IP traffic in the Debug log. Monitoring IP traffic in Kerio Control statistics IP address groups Traffic Rules Intrusion and prevention system (IPS) IP tools MAC filter Overview of an active host activities (only the port-based activities are recognized, such as Remote access, Instant messaging, Mail, Web pages, Streams) Configuration backup to Samepage.io or an FTP server Reverse proxy 115

    116 Support for IPv6 protocol Kerio Control can therefore be used as an IPv6 router and allows access from hosts in the local network to the Internet via IPv6. IPv6 filtering Kerio Control supports allowing traffic by IPv6. In newer operating systems, this protocol is enabled by default and the computer has an automatically generated IPv6 address. This can cause a security hazard. For security reasons, any incoming native and tunneled IPv6 traffic is disabled by default. Allowing IPv6 for particular computers or prefixes To alow incoming traffic through IPv6 protocol from the particural prefix or computer: 1. In the administration interface, go to Traffic Rules. 2, kerio vpn client error 161. Prepare rules for incoming and outgoing traffic. Read more in the Configuring traffic rules article. 3. Click Apply, kerio vpn client error 161. During the upgrade to Kerio Control 8.4.0, your settings from the Security Settings tab are hidden. Kerio Control automatically creates new incoming and outgoing rules in the Traffic Rules kerio vpn client error 161 instead. Blocking IPv6 tunneling 1. In the administration interface, go to Security Settings IPv6. 2. Select option Block tunneled IPv6. 3. (Optional) In the Definitions IP Address Groups, add a new group of allowed hosts. 4. Go back to Security Settings IPv6. 5. Check Except for the following IPv4 hosts and select the IP address group. 6. Click Apply. 116

    117 29.3 IPv6 router advertisement IPv6 router advertisement IPv6 router advertisement is used for automatic stateless configuration of IPv6 devices in the LAN (SLAAC). Add a record for every network in which Kerio Control is supposed to advertise as a default router. 1. In the administration interface, go to IPv6 Router Advertisements 2. Click Add. 3. Select an interface connected to the network where the router should advertise. 4. Double-click Prefix and type the IPv6 prefix (subnet address). It has form of an IPv6 address and has to fit the set prefix length, i.e. all bits higher than the prefix length must be null. 5. Double-click Prefix length and type number of bits of IPv6 address which are considered as a prefix (subnet address). 6. Click Apply. 117

    118 Configuring Service Discovery forwarding error 1335 autocad the Kerio Control network Service Discovery forwarding overview New in Kerio Control 8.5! Kerio Control forwards Service Discovery protocols between networks. This allows remote users across VPN tunnels or other networks to locate and reach devices (printers, Apple TV, and so on) that host services behind the firewall. If you have more Kerio Controls connected through the Kerio VPN tunnel, all Kerio Controls must have enabled Service Discovery forwarding. Also, all network devices in your network (switches, routers, and modems) kerio vpn client error 161 support multicast forwarding. Examples of Service Discovery protocols include: mdns, which is used by Apple Bonjour for locating Apple services, or devices such as printers (Bonjour Gateway) NetBIOS Name service, which is used to identify Microsoft Windows workstations, servers, and services SSDP, which is used by devices and applications supporting UPnP Kerio Control supports Service Discovery forwarding only for Kerio VPN. IPsec VPN is not supported. Configuring Service Discovery forwarding To enable Service Discovery forwarding and to select subnets: 1. In the administration kerio vpn client error 161, go to Security Settings Zero-configuration Networking. 2. Select Enable Service Discovery forwarding. 3. Select the interfaces (subnets) for which you want to enable Service Discovery forwarding. 4. Click Apply. 118

    119 30.3 Troubleshooting Kerio Control makes zero-configuration devices accessible in the selected interfaces. Troubleshooting If you have trouble with service discovery forwarding, verify that the firewall is set properly on the client computers. In Windows Firewall, we recommend creating inbound and outbound rules to allow traffic on ports 137 and 138 for any remote interface even if you disable Windows Firewall. If you use Kerio Control VPN Client, the NetBIOS interface is disabled by default. To enable NetBIOS: 1. In your network connections, right-click Kerio Virtual Network and click Properties. 2. Select Internet Protocol Version 4 (TCP/IPv4) and click Terror squad - lean back. 3. Click Advanced. 4. On the WINS tab, select option Enable NetBIOS over TCP/IP. 5. Save your settings. 119

    120 Configuring Service Discovery forwarding in the Kerio Control network 120

    121 Configuring Universal Plug-and-Play (UPnP) Universal Plug-and-Play (UPnP) overview Kerio Control supports UPnP protocol (Universal Plug-and-Play). This protocol enables client applications (i.e. Microsoft MSN Messenger) to detect the firewall and make a request for mapping of appropriate ports from the Internet for the particular host in the local network. Such mapping is always temporary it is either applied until ports are released by the application (using UPnP messages) or until expiration of the certain timeout. The required port must not collide with any existing mapped port or kerio vpn client error 161 traffic rule allowing access to the firewall from the Internet. Otherwise, the UPnP port mapping request will be denied. Configuring the UPnP support UPnP can be enabled under Security Settings, the Miscellaneous tab. Enable UPnP This option enables UPnP. Log packets If this option is enabled, all packets passing through ports mapped with UPnP will be recorded in the Filter log. Log connections If this option is enabled, all packets passing through ports mapped with Kerio vpn client error 161 will be recorded in the Connection log. 121

    122 Configuring Universal Plug-and-Play (UPnP) 1. Apart from the fact that UPnP is a useful feature, it may also endanger network security, especially in case of networks with many users where the firewall could be controlled by too many users. The firewall administrator should consider carefully whether to prefer security or functionality of applications that require UPnP. Using traffic policy you can limit usage of UPnP and enable it to certain IP addresses or certain users only. Example: Figure 1 Traffic rules allowing UPnP for specific hosts The first rule allows UPnP only from UPnP Clients IP group. The second ram parity error fanuc 15 denies UPnP from other hosts (IP addresses). 122

    123 Configuring bandwidth management Bandwidth management overview Kerio Control includes bandwidth management, which regulates network traffic to ensure reliability of essential services, and avoid congestion. How bandwidth management works The bandwidth management feature provides two basic functions: Limiting bandwidth for data transfers This approach is designed to reduce congestion caused by non-essential traffic (for example, large data transfers, video streaming, and so on). Reserving bandwidth for specific services You can also reserve bandwidth for services crucial for the kerio vpn client error 161 s basic operations (IP telephony, etc.). This bandwidth will be always available, regardless of the current traffic load. Internet links speed For correct bandwidth management, you need to assign a link speed to each Internet interface. to ensure effective bandwidth management to be most effective, a conservative link speed estimate is best: approximately 80% of the actual speed. Example: For an ASDL line with a declared 8192/512 Kbit/s, set the download speed to 6250 Kbit/s and the upload speed to 400 Kbit/s. Configuring bandwidth management Suppose you want to restrict user John Smith to 50% of the link for download in all interfaces during his working hours: 1. In the administration interface, go to Kerio vpn client error 161 Management and QoS. 2. To create a new rule, click Add. 3. Type a name for the rule (John Smith). 4. Double-click Traffic. 123

    124 Configuring bandwidth management Figure 1 The Traffic dialog 5. In the Traffic dialog, click Add and choose Selected Users / Groups. 6. Double-click Download, check Do not exceed, and set the limit as shown here: Figure 2 The Download Bandwidth Policy dialog 7. Leave Upload as it is (No limit). 8. Leave Interface as it is (All). 9. Double-click Valid Time, and select a time range. You can create a new time range in Definitions Time Ranges. 10. Check Chart. 124

    125 32.5 Bandwidth management and VPN tunnels The timeline for traffic matching the rule can be viewed under Runtime error program Traffic Charts (for the previous 24 hours). The chart shows how much the particular traffic loads the link and helps you optimize bandwidth management rules. Local traffic is not counted. 11. Click Apply to save the new rule. The order of rules is important. Rules are processed from the top down. Figure 3 Bandwidth Management and QoS Bandwidth management and VPN tunnels When you are using bandwidth management and VPN tunnels at the same time, select Use rules for VPN tunnels before encrypting. Otherwise your VPN tunnel encrypts the communication, and bandwidth management rules are not applied. 125

    126 Configuring bandwidth management Figure 4 Bandwidth management and VPN tunnels This option is available in Kerio Control 8.3 and newer. In a new installation, the option is selected kerio vpn client error 161 default. If you do not have a good reason to do so, do not change the settings. In an upgrade installation, the option is not selected and you can check it. However, bandwidth management of your Kerio Control will be influenced by that change. 126

    127 Configuring the Content Filter Content filter overview Watch the Configuring the content filter video. In the content filter, Kerio Control defines the types of web activities that are allowed by users on your network. The content filter is able to block Kerio Control Web Filter categories and different types of application protocols regardless of the used port. This filtering on different network layers is easily configured by a single set of rules similar to traffic policy. Here are the main purposes of content filtering: access limitations according to URL (substrings contained in URL addresses) filtering based on classification by the Kerio Control Web Filter module (worldwide website classification database) limitations based on occurrence of Forbidden words access to certain FTP servers limitations based on filenames elimination of P2P networks Prerequisites For content filtering, the following conditions must be met: 1. Traffic must be controlled by the HTTP / FTP / POP3 protocol inspector. The HTTP, FTP and POP3 protocol inspectors are activated automatically unless their use is denied by traffic rules. 2. Kerio Control performs URL based filtering for encrypted traffic (HTTPS protocol). Learn more in a special article HTTPS filtering specifics. 3. Secured FTP traffic (FTPS, SFTP) cannot be filtered. 4. Content rules are also applied when the Kerio Control s proxy server is used. However, FTP protocol cannot be filtered if the parent proxy server is used. In such case, content rules are not applied. 127

    128 Configuring the Content Filter Content rules are not applied to the reverse proxy traffic in Kerio Control. Using the content rules The Content Rules table includes several predefined rules. There are several important parts of each rule: Detected content which content should be filtered in the rule. Source person or IP address to which the rule applies. Action what to do with the selected content. Figure 1 The Content Rules tab Adding content rules When you want to create a new rule, you can: Duplicate an existing rule and change some parameters (use More Actions Duplicate). Add a new rule (use Add). 128

    129 33.4 Adding content rules 1. In the administration interface, go to Content Filter. 2. On tab Content Rules, click Add. 3. In table, type a name of the rule. 4. Double-click Detected content and fill in the form (see details in Detecting content). 5. Double-click Source and select users and/or IP addresses. 6. Double-click Action and fill in the form (see details in Setting actions) 7. (Optional) Set the valid time you can set a time interval for applying the rule. You have to create time intervals in Definitions Time Ranges (see article Creating time ranges in Kerio Control) then you can select the time interval in the Content Rules table. 8. Apply. Detecting content In the Content Rule - Detected Content dialog, click: Add Applications and Web Categories for pages sorted in the selected categories by the Kerio Control Web Filter module and for pages sorted in the selected categories by the application detection. Add File Name to allow/disable transfer defined file types. Add URL and Hostname to type any URL starting with the specified string. It is possible to use wildcards * (asterisk) and? (question mark). Add URL Groups to allow/disable access to a group of web pages. For more details, read article Configuring URL groups. Setting actions To log all traffic matched with the rule, check Log the traffic. Each log will be written to the Filter log. The Content Rule - Action dialog varies depending on selected action: 129

    130 Configuring the Content Filter Allow Traffic allowed. With the allow rule you can create the following types of rules: skip Antivirus scanning for selected users, IP addresses or host names. skip Forbidden words filtering Do not require authentication Figure 2 The allowing rule 130

    131 33.4 Adding content rules Deny User will be redirected to the firewall page with information that access is denied. You can redirect a user to another page It works only for HTTP sites. Blocked HTTPS sites cannot be redirected to another URL, or to the custom denial page. The page will time out for the user. type a deny text send notification The user must have address configured in Kerio Control The user must be authenticated to Kerio Control. 131

    132 Configuring the Content Filter Figure 3 The denying rule Drop Access is denied and the user will see the page as unavailable. 132

    133 33.5 Unlocking rules Unlocking rules Privileged users can continue to filtered websites if you enable this right for them. Read Setting access rights in Kerio Control for detailed information. Examples Adding new URLs for automatic updates If you start to use a new software with the automatic updates option, you must add a new URL to the content filter: 1. Go to Content Filter and enable rule Allow automatic updates and MS Windows activation. The rule is based on the Automatic Updates URL group. Figure 4 The Content Rules tab 2. Go to Definitions URL Groups. 3. Click Add. 4. In the Add URL dialog, select Select existing Automatic Updates. 5. Type the URL for automatic update. You can use *,? or select Use regular expression and type the URL as regular expression. Blocking Facebook To deny Facebook, you have to add the following rule: 1. On the Content Rules tab, click Add. 2. Type a name of the new rule. 3. Double-click Detected Content. 4. In the Content Rule - Detected Content dialog, click Add URL and Hostname. 5. Type facebook.com into the Site field. 6. Check option Also apply to secured connections (HTTPS). This option has exceptions written in the HTTPS filtering specifics article. 133

    134 Configuring the Content Filter Figure 5 The first part of the Detected Content settings 7. Click OK. 8. In the Content Rule - Detected Content dialog, click Add URL and Hostname again. 9. Type into the Site field. Figure 6 The second part of the Detected Content settings 134

    135 33.6 Examples 10. Select option Hostname across all protocols. Kerio Control sends DNS query and ensures that all IP addresses used by Facebook will be identified. 11. Click OK. 12. Double-click Action. 13. In the Content Rule - Action dialog, select Deny in the Action drop-down menu. 14. Save the settings. Your result should be similar as figure 1. Test the rule by login to Facebook. Allowing all content from Samepage.io If you want to: skip antivirus scanning, skip forbidden words filtering, do not require authentication, for samepage.io (or another cloud service), follow the next steps: 1. On the Content Rules tab, click Add. 2. Type a name of the new rule (All for Samepage). 3. Double-click Detected Content. 4. In the Content Rule - Detected Content dialog, click Add URL and Hostname. 5. Type samepage.io into the Site field. 6. Select Also apply to secured connections (HTTPS). This option has exceptions written in the HTTPS filtering specifics article. 7. Click OK. 8. Double-click Action. 9. In the Content Rule - Action dialog, select Allow in the Action drop-down menu. 10. Select Skip Antivirus scanning. 135

    136 Configuring the Content Filter 11. Select Skip Forbidden words filtering. 12. Select Do not require authentication. 13. Save the settings. Your result should be the same as figure 1. Figure 7 The first part of the Detected Content settings Related articles Eliminating Peer-to-Peer traffic Using Kerio Control Web Filter Filtering web content by word occurrence 136

    137 Eliminating Peer-to-Peer traffic Peer-to-Peer (P2P) networks Peer-to-Peer (P2P) networks are worldwide distributd systems where each node can be used both as a client and a server. These networks are used for sharing of big volumes of data (this sharing is mostly illegal). DirectConnect and Kazaa are the most popular ones. In addition to illegal data distribution, utilization of P2P networks overload lines via which users are connected to the Internet. Such users may limit connections of other users kerio vpn client error 161 the same network and may increase costs for the line (for example when volume of transmitted data is limited for the line). Kerio Control provides the P2P Eliminator module which detects connections to P2P networks and applies specific restrictions. Since there is a large variety of P2P networks and parameters at individual nodes (servers, number of connections, etc.) can be changed, it is hardly possible to detect all P2P connections. However, using various methods (such as known ports, established connections, etc.), the P2P Eliminator is able to detect whether kerio vpn client error 161 user connects to one or multiple P2P networks. Configuring/Adding the P2P traffic rule 1. In the administration interface, go to Content Filter. 2. Select Peer-to-Peer traffic. kerio vpn client error 161. Click Apply. If your Content Filter does not include the Peer-to-Peer traffic rule, you can add one: 1. Click Add. 2. Type a name of the new rule (for example Peer-to-Peer traffic). 3. Double-click Detected content. 4. In the Content Rule - Detected Content dialog, click Add Applications and Web Categories. 5. In the Selected items dialog, select Downloads Peer-to-Peer. 6. Double-click Action. 7. In the Content Rule - Action dialog, select Deny in the Action list. 137

    138 Eliminating Peer-to-Peer traffic 8. (Optional) Kerio vpn client error 161 Send notification to user for non-http connections. The user will be informed about denying P2P traffic. 9. Save the settings. The result is displayed on figure 1. Figure 1 Peer-to-Peer traffic rule Information about P2P detection and blocked traffic can be viewed in the Status Active Hosts section. If you wish to notify also another person when a P2P network is detected (e.g. the firewall administrator), define the alert on the Alerts Settings tab of the Accounting and Monitoring section. Configuring parameters for detection of P2P networks P2P networks are detected automatically (the P2P Eliminator module keeps running). To set the P2P Eliminator module s parameters, go to Content Filter Advanced Settings. It is not possible to block connections to particular P2P networks. P2P Eliminator allows to permit such services where it is guaranteed that they do not use P2P networks. Consider the following TCP/UDP port numbers as suspicious List of ports which are exclusively used by P2P networks. These ports are usually ports for control connections ports (port ranges) for data sharing can be set by users themselves. Ports in the list can be defined by port numbers or by port ranges. Individual values are separated by commas while dash is used for definition of ranges. Number of connections Big volume of connections established from the client host is a typical feature of P2P networks (usually one connection for each file). The Number of connections value defines maximal number of client s network connections that must be reached to consider the traffic as suspicious. The optimum value depends on circumstances (type of user s work, frequently used network applications, etc.) kerio vpn client error 161 it must be tested. If the value is too low, the system can be unreliable (users who do not use P2P networks might be suspected). If the value is too high, reliability of the detection is decreased (less P2P networks are detected). 138

    139 34.3 Configuring parameters for detection of P2P networks Safe services Certain legitimate services may also show characteristics of traffic in P2P networks (e.g. big number of kerio vpn client error 161 connections). To ensure that traffic is not detected incorrectly and users of these services are not persecuted by mistake, it is possible to define list of so called secure services. These services will be excluded from detection of P2P traffic. Default values of parameters of P2P detection were set with respect to long-term testing. As already mentioned, it is not always possible to say that a particular user really uses P2P networks or not which results only in certain level of probability. Change of detection parameters may affect its results crucially. Therefore, it is recommended to change parameters of P2P networks detection only in legitimate cases (e.g. if a new port number is detected which is used only by a P2P network and by no legitimate application or if it is found that a legitimate service is repeatedly detected as a P2P network). 139

    140 Configuring HTTP cache HTTP cache overview Using cache to access web pages that are opened repeatedly reduces Internet traffic. Downloaded files are saved to the hard drive of the Kerio Control host so that it is not necessary to download them from the web server again later. HTTP cache is not available on Kerio Control Box. The cache can be used either for direct access or for access via the proxy server. Also you can use it for Kerio Control reverse proxy. If you use direct access, the HTTP protocol inspector must be applied to the traffic. In the default configuration of Kerio Control, this condition is met for the HTTP protocol at the default port 80. Configuring HTTP cache 1. In the administration interface, go to Proxy Server HTTP Cache. 2. Check Enable cache for direct access to web. 3. If you are using proxy server, check Enable cache on Kerio Control non-transparent proxy server. 4. If you are using reverse proxy, check Enable cache for Kerio Control reverse proxy. 5. Click Apply. Configuring TTL TTL (Time To Live) means that you can configure a default time of how long the object is kept in the cache for. 1. On tab HTTP Cache, set HTTP protocol TTL (default value: 1 day). This setting applies to all objects where no extra cache period is specified. 2. Click URL Specific Settings for objects on specific hollywood tower of terror or pages. 140

    141 35.2 Configuring HTTP cache 3. In the URL Specific Settings dialog, click Add. 4. In the Add URL dialog, kerio vpn client error 161, specify URL (or its part) of objects on which the rule will apply. The cache time is specified in hours. Value 0 means that the object will not be kept in the cache. Cache status and administration Kerio Control allows monitoring of the HTTP cache usage as well as removal of its contents. At the bottom of the HTTP Cache tab, basic status information is provided such as the current cache size occupied and efficiency of the cache. The efficiency status stands for number of objects kept in the cache in proportion to the total number of queries (since the startup of the Kerio Control). The efficiency of the cache depends especially on user behavior and habits (if users visit certain web pages regularly, if any websites are accessed by multiple users, etc.) and, in a manner, it can be also affected by the configuration parameters described above. If the efficiency of the cache is permanently low (less than 5 percent), change the cache configuration. The Clear cache button deletes all objects saved in cache. 141

    142 Filtering web content by word occurrence Kerio Control word filter overview Kerio Control filters web pages that include undesirable words. Filtering mechanism: Denied words are matched with values, called weight (represented by a whole positive integer). Weights of these words contained in a required page are summed (weight of each word is counted only once regardless of how many times the word is included in the page). If the total weight exceeds the defined limit (so called threshold value), the page is blocked, kerio vpn client error 161. The feature Forbidden Words is disabled by default. To enable it, kerio vpn client error 161 Enable Forbidden words filtering in the Content Filter Forbidden Words tab. Adding a new forbidden word Figure 1 Adding forbidden words 142

    143 36.2 Adding a new forbidden word 1. In the administration interface, go to Content Filter Forbidden Words. 2. Click Add. 3. You can select an existing group or create a new one (see screenshot 1). Words are sorted into groups. However, all groups have the same priority and all of them are always tested. 4. Type a keyword that is to be scanned for. This word can be in any language and it should follow the exact form in which it is used on websites (including diacritics and other special symbols and characters). If the word has various forms (declension, conjugation, etc.), it is necessary to define separate words for each word in the group. 5. Type a weight. The weight should respect frequency of the particular word (the more common word, the lower weight) so that legitimate webpages are not blocked. 6. Click OK. 143

    144 Using Kerio Control Web Filter Kerio Control Web Filter overview Kerio Control Web Filter rates web page content. For this purpose it uses a dynamic worldwide database which includes URLs and classification kerio vpn client error 161 web pages. Whenever a user attempts to access a web page, Kerio Control sends a request on the page rating. According to the classification of the page the user will be either allowed or denied to access the page. A special license is required with Kerio Control Web Filter. Unless Kerio Control includes this module, it behaves as a trial version only (this means that it is automatically disabled after 30 days from the Kerio Control installation and options in the Kerio Control Web Filter tab will not be available). Enabling Kerio Control Web Filter Figure 1 Kerio Control Web Filter 1. In the administration interface, go to Content Filter. 2. On tab Kerio Control Web Filter, check Enable Kerio Control Web Filter. 3. Check Categorize each page regardless of URL rules. Categorization of all pages is necessary for statistics of the categories of visited web pages. If you do not intend to keep these statistics, disable this option (categorization of all web pages might be demanding and it might decrease Kerio Control performance). 144

    145 37.3 Using Web Filter in URL rules 4. Check Allow authenticated users to report miscategorized URLs If the user believes that the page has been added to a wrong category (which makes Kerio Control block access to the page), they windows sockets error 129 suggest a change. The database administrator will then evaluate the suggestion within a paradox error - 5005 days. All suggestions are logged in the Security log. 5. Click Apply. Testing URLs In the administration interface, it is possible to test URL categorization. It is then possible to make recategorization suggestions on the result page, if desired. 1. In section Content Filter, go to Kerio Control Web Filter. 2. Type in the URL and error c4430 visual studio Test URL. 3. In the URL Categorization dialog, check if the category is correct. Creating a URL whitelist If Kerio Control Web Filter blocks correct URL, you can add it to the special list of enabled URLs: 1. In section Content Filter, go to Kerio Control Web Filter. 2. Click Add. 3. Type URL and description of the website. The following items can be specified: server name (e.g. Server name represents any URL at a corresponding server, address of a kerio vpn client error 161 webpage (e.g. URL using wildcard matching (e.g. *.ker?o.*). An asterisk stands for any number of characters (even zero), a *.ker?o.* question-mark represents just one symbol. 4. Save the settings. Using Web Filter in URL rules Whenever Kerio Control processes a URL rule that requires classification of pages, Kerio Control Web Filter is activated. The usage will be better understood through the following example that describes a rule denying all users to access pages containing job offers: 1. In the administration interface, go to Content Filter. 2. On tab Content Rules, enable the predefined rule Kerio Web Filter categories. 145

    146 Using Kerio Control Web Filter 3. Double-click the Detected content column and click Add Applications and Web Categories. 4. Select the Job Search rating category. 5. Save the settings. URL Rules are described in more details in a special article: Configuring the Content Filter. 146

    147 Filtering HTTPS connections Overview New in Kerio Control 8.4! Kerio Control decrypts and filters HTTPS connections. Getlasterror = 299 is the same as for the HTTP protocol. Kerio Control can apply the same filters and methods to the content php mail error dle HTTPS connections, such as: filtering URLs Kerio Control Web Filter antivirus check You can see the filtering results in User Statistics and Reporting. When a user accesses a site secured by HTTPS, an SSL certificate warning appears because Kerio Control uses its own certificate for reencrypting HTTPS communication. Therefore it is important to distribute the Kerio Control certificate to your users web browsers as a root certificate authority. HTTPS protocol filtering provides an HTTPS inspector. You can switch off the inspector for a particular rule in the Traffic Rules section or for a particular protocol in the Definitions Services section. Read more in the Disabling protocol inspectors article. Configuring HTTPS filtering To start HTTPS filtering: 1. Go to Content Filter HTTPS Filtering in the administration interface. 2. Select Decrypt and filter HTTPS traffic. 3. Select Show Legal Notice to users, if it is necessary in your country. Contact your legal advisor if it is necessary to select this option. When users open a HTTPS site, Kerio Control warns them that the connection is decrypted by Kerio Control. 147

    148 Filtering HTTPS connections The disclaimer appears each logged-in user once per session and might be annoying to users. 4. Click Apply. Kerio Control decrypts and filters all HTTPS communication. Figure 1 HTTPS Filtering Setting HTTPS filtering exceptions Kerio Control allows you to add exceptions from HTTPS filtering. exceptions. You can: There are two types of Exclude specified traffic from decryption Decrypt specified traffic only use it when you need to decrypt only certain servers or users. You can set exceptions for: web applications users Excluding traffic to/from web applications Some web applications cannot use the Kerio Control certification authority (for example web access to banks, dropbox.com, microsoft.com) or use a non-https service on port 443. You must exclude these web applications from the HTTPS filtering. 148

    149 38.3 Setting HTTPS filtering exceptions To set exceptions for an web application, you must know its IP address, domain name, or hostname: 1. On the HTTPS Filtering tab, select Exclude specified traffic from decryption. 2. Next to the Traffic to/from IP addresses which belong to field, click Edit. 3. In the IP Address Groups dialog box, click Add. 4. In the Add IP Address dialog box, click Select existing. 5. In the Select existing menu, select HTTPS exclusions. 6. In the Type field, select Host. 7. In the Hostname/IP field, type the IP address, host name or domain name of the web application. If you add a domain name, you must use the Kerio Control DNS server and enable the DNS cache. If you use IP address or a host name you can use any DNS server. 8. Click OK. 9. On the HTTPS Filtering tab, click Apply. All web applications in this list are not going through the HTTPS filtering. 149

    150 Filtering HTTPS connections Figure 2 HTTPS Filtering - preconfigured exception for Dropbox.com To change or delete an exclusion, go to the Definitions IP address groups section. Excluding users from the HTTPS filtering If there are Kerio Control users, which cannot use HTTPS filtering (for example because of legal reasons),you can exclude them: 1. On the HTTPS Filtering tab, click Exclude specified traffic from decryption. 2. Next to the Traffic from the following users field, click Select. 3. In the Select Items dialog box, click Add. 4. In the new Select Items dialog box, select the domain of users which should be excluded. 5. Select users and click OK. Kerio Control adds users to the list. 6. Click OK. 7. On the HTTPS Filtering tab, click Apply. 150

    151 38.4 Importing a certificate for an untrusted web applications into Kerio Control Figure 3 HTTPS Filtering exceptions for users Kerio Control displays the list of excluded user in the Exclude traffic from the following users field. These users kerio vpn client error 161 excluded from the HTTPS filtering. Importing a certificate for an untrusted web applications into Kerio Control Sometimes you or your users need to go to servers with a self-signed certificate. Such certificates are untrusted, so Kerio Control needs the certificate for authentication. You can: add the server to a list of excluded applications install the certificate of the server to Kerio Control Installing certificates to Kerio Control 1. In the administration interface, go to Definitions SSL Certificates. 2. Click the More actions Import Import New Certificate button. 3. The Import Certificate dialog box opens. 4. In the Import Certificate dialog box, select Certificate without private key. 151

    152 Filtering HTTPS connections 5. Type the URL of the web application or if you have the certificate, select the certificate file. 6. Click Import. Figure 4 Kerio Control client login page New certificate appears in the SSL Certificates section. Now your users can go to the untrusted page. 152

    153 Configuring proxy server Overview Kerio vpn client error 161 though the NAT technology used in Kerio Control enables direct access to the Internet from all local hosts, it contains a standard non-transparent proxy server. You can use it, for example, when Kerio Control is deployed within a network with many hosts where proxy server has been used. Thus, the Internet connection is kept if proxy server is used, and you don t have to re-configure all the host (or only some hosts require re-configuration). The proxy server can be used for HTTP, HTTPS and FTP protocols. Proxy server does not support the SOCKS protocol. Configuring the proxy server 1. In the administration interface, go to Proxy Server. 2. Select kerio vpn client error 161 Enable non-transparent proxy server. This option enables the HTTP proxy server in Kerio Control on the port in the Port entry (3128 port is set by the default). 3. To enable a tunnelled connection on non-standard TCP ports (for example, connecting to remote Kerio Control administration placed in the Internet from your local network), select option Allow tunnelled connections to all TCP ports. This option affects HTTPS traffic only. You can always access HTTP on any port via non-transparent proxy. 4. Click Apply. 153

    154 Configuring proxy server Configuring browsers To communicate through non-transparent proxy server, you must configure web browsers on client hosts. You have several options for this configuration: Configure browsers manually: type the IP address or DNS name of the proxy server and port (3128 is the default port for Kerio Control) in the proxy server settings in the browser In the Kerio Control administration in the Proxy Server section, switch the mode for automatic proxy configuration script to Kerio Control non-transparent proxy server, and add the following address to the browsers settings: where is the IP address of the Kerio Control host and number 3128 represents the port of the proxy server (see above). In the Kerio Control administration in the Proxy Server section, switch the mode for automatic proxy configuration script to Allow browsers to use configuration script automatically via DHCP server in Kerio Control All browsers must select Automatically detect settings in the proxy server settings. The automatic configuration of browsers may take several hours. Browsers must ask for a new configuration. 154

    155

    Arch Linux User Repository

    @quangdang I'll try to explain as best as i can, since english is not my first language.

    Basically once you have kvpnc configured and running, but without reaching your destination network, open your terminal and ping one of your devices in the network you can't kerio vpn client error 161 (like a printer, or a switch, or your gateway, as long as you know the ip address), obviously it wont answer, but leave it running for now, you open wireshark and start to capture in the kvnet internet interface, then look for a oki c810 error 382 that will have the device you are pinging in the source, and will say Echo (ping) reply" in info, stop the capture, open that package just double clicking on it.

    Then you will see something that will say "Dst:" and some letters and numbers with dots, something like 11:22:33:44:55:66, that's the mac address we are looking for, copy that

    Then, using the command @krafZLorG shared (ip link set dev kvnet address XX: XX: XX: XX: XX: XX) you change those XX with the mac address that you copied from the package, then run that command and voila! It will work.

    So far my downside is that everytime i restart, i have to do this again since kvpnc interface's mac address changes everytime, i'm looking for a way to set it with an specific mac address so it won't change every single time, but at least it works now. Hope i was of some help.

    0 Comments

    Leave a Comment