User accounts and groups, Chapter 15 – Kerio Tech Firewall6 User Manual

199

Chapter 15

User Accounts and Groups

User accounts in WinRoute improve control of user access to the Internet from the local net-

work. User accounts can be also used to access the WinRoute administration using the Admin-

istration Console.

WinRoute supports several methods of user accounts and groups saving, combining them with

various types of authentication, as follows:

Internal user database

User accounts and groups and their passwords are saved in WinRoute. During authenti-

cation, usernames are compared to the data in the internal database.

This method of saving accounts and user authentication is particularly adequate for net-

works without a proper domain, as well as for special administrator accounts (user can

authenticate locally even if the network communication fails).

On the other hand, in case of networks with proper domains (Windows NT or Active

Directory), local accounts in WinRoute may cause increased demands on administration

since accounts and passwords must be maintained twice (at the domain and in WinRoute).

Internal user database with authentication within the domain

User accounts are stored in WinRoute. However, users are authenticated at Windows NT

or Active Directory domain (i.e. password is not stored in the user account in WinRoute).

Obviously, usernames in WinRoute must match with the usernames in the domain.

This method is not so demanding as far as the administration is concerned. When, for

example, a user wants to change the password, it can be simply done at the domain and

the change will be automatically applied to the account in WinRoute. In addition to this,

it is not necessary to create user accounts in WinRoute by hand, as they can be imported

from a corresponding domain.

Import of user accounts from Active Directory

If Active Directory (Windows 2000 Server or Windows Server 2003/2008) is used, auto-

matic import of user accounts from it can be enabled. It is not necessary to define ac-

counts in WinRoute, nor import them, since it is possible to configure templates by which

specific parameters (such as access rights, content rules, transfer quotas, etc.) will be set

for new WinRoute users. A corresponding user account will be automatically imported

upon the first login of the user to WinRoute. Parameters set by using a template can be

modified for individual accounts if necessary.

Note: This type of cooperation with Active Directory applies especially to older versions

of WinRoute and makes these versions still compatible. In case of the first installation of

WinRoute, it is recommended to apply transparent cooperation with Active Directory.