User accounts and groups in traffic rules, 6 user accounts and groups in traffic rules – Kerio Tech KERIO WINROUTE FIREWALL 6 User Manual

Page 98

Advertising
background image

Chapter 7

Traffic Policy

98

IP address will be used). To any other services, load balancing per connection will be applied

— thus maximally efficient use of the capacity of available links will be reached.

Meeting of the requirements will be guaranteed by using two NAT traffic rules — see fig-

ure

7.33

. In the first rule, specify corresponding services and set the per host NAT mode. In

the second rule, which will be applied for any other services, set the per connection NAT mode.

Figure 7.33

Policy routing — load balancing optimization

7.6 User accounts and groups in traffic rules

In traffic rules, source/destination can be specified also by user accounts or/and user groups.

In traffic policy, each user account represents IP address of the host from which user is con-

nected. This means that the rule is applied to users authenticated at the firewall only (when

the user logs out, the rule is not effective any longer). This chapter is focused on various

issues relating to use of user accounts in traffic rules as well as hints for their solution.

Note: For detailed information on traffic rules definition, refer to chapter

7.3

.

How to enable certain users to access the Internet

How to enable access to the Internet for specific users only? Assuming that this problem

applies to a private local network and Internet connection is performed through NAT, simply

specify these users in the Source item in the NAT rule.

Figure 7.34

This traffic rule allows only selected users to connect to the Internet

Such a rule enables the specified users to connect to the Internet (if authenticated). However,

these users must open the WinRoute interface’s login page manually and authenticate (for

details, see chapter

10.1

).

However, with such a rule defined, all methods of automatic authentication will be ineffective

(i.e. redirecting to the login page, NTLM authentication as well as automatic authentication

from defined hosts). The reason is that the automatic authentication (or redirection to the

login page) is not invoked unless connection to the Internet is being established (for license

Advertising
Popular Brands
Popular manuals