User accounts and groups in traffic rules, 6 user accounts and groups in traffic rules – Kerio Tech Firewall6 User Manual
Page 95
7.6 User accounts and groups in traffic rules
95
Example: Optimization of network traffic load balancing
WinRoute provides two options of network traffic load balancing: per host (clients) or per con-
nection (for details, refer to chapter
). With respect to variability of applications on individ-
ual hosts and of user behavior, the best solution (more efficient use of individual links) proves
to be the option of load balancing per connection. However, this mode may encounter prob-
lems with access to services where multiple connections get established at one moment (web
pages and other web related services). The server can consider source addresses in individual
connections as connection recovery after failure (this may lead for instance to expiration of
the session) or as an attack attempt (in that case the service can get unavailable).
This problem can be bridged over by policy routing. In case of “problematic” services (e.g.
HTTP and HTTPS) the load will be balanced per host, i.e. all connections from one client will
be routed through a particular Internet link so that their IP address will be identical (a single
IP address will be used). To any other services, load balancing per connection will be applied
— thus maximally efficient use of the capacity of available links will be reached.
Meeting of the requirements will be guaranteed by using two NAT traffic rules — see fig-
ure
. In the first rule, specify corresponding services and set the per host NAT mode. In
the second rule, which will be applied for any other services, set the per connection NAT mode.
Figure 7.33
Policy routing — load balancing optimization
7.6 User accounts and groups in traffic rules
In traffic rules, source/destination can be specified also by user accounts or/and user groups.
In traffic policy, each user account represents IP address of the host from which user is con-
nected. This means that the rule is applied to users authenticated at the firewall only (when
the user logs out, the rule is not effective any longer). This chapter is focused on various
issues relating to use of user accounts in traffic rules as well as hints for their solution.
Note: For detailed information on traffic rules definition, refer to chapter
How to enable certain users to access the Internet
How to enable access to the Internet for specific users only? Assuming that this problem
applies to a private local network and Internet connection is performed through NAT, simply
specify these users in the Source item in the NAT rule.