WinRoute allows administrators to monitor connections (packet, connection, Web pages or FTP objects and command filtering) related to each user. The username in each filtering rule represents the IP address of the host(s) from which the user is connected.
In addition to authentication based access limitations, user login can be used to effectively monitor activity using logs (see chapter Chapter 13), and status (see chapter 12.3) and hosts and users (see chapter 12.2). If there is no user connected from a certain host, only the IP address of the host will be displayed in the logs and statistics.
Users can connect:
manually — in the browser user will open page
http://server:4080/fw/login
re-direction — by accessing any Web site that requires user authentication
using NTML— if Microsoft Internet Explorer is used and the user is authenticated in a Windows NT or Windows 2000 domain, the user can be authenticated automatically (the login page will not be displayed). For details see below (the User Authentication Options section).
Login by re-direction is performed in the following way: user enters URL pages that he/she intends to open in the browser. WinRoute detects whether the user has already authenticated. If not, WinRoute will re-direct the user to the login page automatically. After a successful login, the user is automatically re-directed to the requested page or to the page including the information where the access was denied.
Note: If the SSL has priority option is activated in the parameters for the Web interface (see chapter 7.1), users are re-directed to the encrypted login page automatically. If not, users are re-directed to the unencrypted login page.
This is the appearance of the login page:
- Username, Password
Login name and password of the user.
- Show user menu page
After a successful login attempt, the user will be re-directed to the login page. From the login page users can go to the pages of user preferences, statistics or to the formerly requested site (for details see chapter 7.3).
If the user is re-directed to the page automatically (after inserting the URL of a page for which the firewall authentication is required), he/she will be re-directed to the formerly requested site after successful login attempt. This rule will not be applied if the Show user menu page option is enabled — if so, the login page (with the link to the formerly required page) will be displayed. For details see chapter 7.3.
Optional user parameters can be defined in the User Authentication tab in Configuration / Advanced Options. To define these parameters go to the User Authentication section.
- Automatic logout after...
Timeout (in minutes) —after its expiration the user will be logged-out from the firewall automatically, if no traffic has been detected. The default value is 120 minutes (2 hours).
This often happens when a user forgets to logout from firewall. Therefore it is not recommended to disable this option (by setting the value to 0). If this option is off, access rights might be misused by other users.
- Use NTLM authentication...
If you use Microsoft Internet Explorer (5.01 and later), users can be authenticated automatically at the firewall (using NTLM authentication). This function requires the following conditions:
The WinRoute host must belong to a Windows NT or Windows 2000 domain.
Client hosts must belong to this domain as well.
Users at client hosts must log into this domain. Local user accounts cannot be used in this case.
WinRoute Firewall Engine must run as a service or it must be run as a user which has administrator rights for the host.
NTLM authentication cannot be used for authentication within an internal database.
- Authenticate users to NT domain
Name of the NT domain where users will be authenticated (i.e. COMPANY). Multiple domains (separated by semicolons) can be included in this entry.
- Kerberos realm
Name of a Kerberos domain where users will be authenticated (i.e. company.com). To use multiple domains separate their names with semicolons.
This authentication method is used by the Windows 2000 domain (Active Directory).
Note: When user accounts are imported from an NT domain or Windows 2000 domain, appropriate items are inserted automatically.