Partial retirement of protocol inspector, 7 partial retirement of protocol inspector – Kerio Tech KERIO WINROUTE FIREWALL 6 User Manual
Page 99
7.7 Partial Retirement of Protocol Inspector
99
counting reasons — see chapter
). However, this NAT rule blocks any connection unless
the user is authenticated.
Enabling automatic authentication
The automatic user authentication issue can be solved easily as follows:
•
Add a rule allowing an unlimited access to the HTTP service before the NAT rule.
Figure 7.35
These traffic rules enable automatic redirection to the login page
•
In URL rules (see chapter
), allow specific users to access any Web site and deny
any access to other users.
Figure 7.36
These URL rules enable specified users to access any Web site
User not authenticated yet who attempts to open a Web site will be automatically redirected
to the authentication page (or authenticated by NTLM, or logged in from the corresponding
host). After a successful authentication, users specified in the NAT rule (see figure
) will
be allowed to access also other Internet services. As well as users not specified in the rules,
unauthenticated users will be disallowed to access any Web site or/and other Internet services.
Note: In this example, it is assumed that client hosts use the WinRoute DNS Forwarder or local
DNS server (traffic must be allowed for the DNS server). If client stations used a DNS server
in the Internet (this configuration is not recommended!), it would be necessary to include the
DNS service in the rule which allows unlimited Internet access.
7.7 Partial Retirement of Protocol Inspector
Under certain circumstances, appliance of a protocol inspector to a particular communication
might be undesirable. To disable specific protocol inspection, define corresponding source
and destination IP addresses and a traffic rule for this service that will define explicitly that
no protocol inspector will be used.