Partial retirement of protocol inspector, 7 partial retirement of protocol inspector – Kerio Tech Firewall6 User Manual
Page 97
7.7 Partial Retirement of Protocol Inspector
97
User not authenticated yet who attempts to open a Web site will be automatically redirected
to the authentication page (or authenticated by NTLM, or logged in from the corresponding
host). After a successful authentication, users specified in the NAT rule (see figure
) will
be allowed to access also other Internet services. As well as users not specified in the rules,
unauthenticated users will be disallowed to access any Web site or/and other Internet services.
Note: In this example, it is assumed that client hosts use the WinRoute DNS Forwarder or local
DNS server (traffic must be allowed for the DNS server). If client stations used a DNS server
in the Internet (this configuration is not recommended!), it would be necessary to include the
DNS service in the rule which allows unlimited Internet access.
7.7 Partial Retirement of Protocol Inspector
Under certain circumstances, appliance of a protocol inspector to a particular communication
might be undesirable. To disable specific protocol inspection, define corresponding source
and destination IP addresses and a traffic rule for this service that will define explicitly that
no protocol inspector will be used.
Example
A banking application (client) communicates with the bank’s server through its proper proto-
col which uses TCP protocol at the port 2000. Supposing the banking application is run on
a host with IP address 192.168.1.15 and it connects to the server server.bank.com.
This port is used by the Cisco SCCP protocol. The protocol inspector of the SCCP would be
applied to the traffic of the banking client under normal circumstances. However, this might
affect functionality of the application or endanger its security.
A special traffic rule, as follows, will be defined for all traffic of the banking application:
1.
In the Configuration → Definitions → Services section, define a service called Internet Bank-
ing: this service will use TCP protocol at the port 2000 and no protocol inspector is used
by this communication.
2.
In the Configuration → Traffic Policy section, create a rule which will permit this service
traffic between the local network and the bank’s server. Specify that no protocol inspector
will be applied.
Note: In the default configuration of the Traffic rules section, the Protocol inspector column
is hidden. To show it, modify settings through the Modify columns dialog (see chapter