Table of Contents
- 9.1. User Accounts
- 9.2. User Groups
User accounts in WinRoute improve control of user access to the Internet from the local network. User accounts can be also used to access the WinRoute administration using the Kerio Administration Console. A basic administrator account is created during the WinRoute installation process. This account has full rights for WinRoute administration. It can be removed if there is at least one other account with full administration rights.
Note: If you have lost access to the WinRoute administration contact Kerio technical support.
New user accounts can be defined in Users and Groups / Users.
Use the Add button to open a dialog where new user accounts can be defined.
Step 1 — basic information:
- Name
Username used to log into the program. Usernames are not case-sensitive.
Warning: We recommend not to use special characters (non-English languages) which might cause problems when authenticating via the Web interface.
- Full name
Full name of the user (usually first name and surname of the user)
- Description
More information about the user (e.g. grade, position within the company, etc.)
The Full Name and the Description items have informative values only. Any type of information can be included or the field can be left empty.
- Authentication
User authentication (see below)
- Account is disabled
Suspension of a user account without removing it.
Authentication options:
- Internal User Database
User account information is stored locally to WinRoute. Passwords can be later edited using the Web interface — see chapter Chapter 7). NTML authenication cannot be used for this authentication method.
Warning: Passwords can include printable characters only (letters, digits, punctuation) and are case-sensitive. We recommend not to use special characters (non-English languages) which might cause problems when authenticating to the Web interface.
- Windows NT Domain
Users are authenticated in Windows NT Domain.
This method of authentication cannot be used unless WinRoute is running on Windows NT 4.0 / 2000 / XP operating systems.
- Kerberos 5
User authentication performed by Kerberos 5 authentication system. Windows 2000 domain (Active Directory) uses this authentication method.
Note: To set NT domain and/or Kerberos 5 realm go to Configuration / Advanced Options / User Authentication. For details refer to chapter 7.2.
Groups into which the user will be included can be added or removed with the Add or the Remove button within this dialog (to create new groups go to Domain Settings / Groups — see chapter 9.2). Follow the same guidelines to add users to groups during group definition. It is not important whether groups or users are defined first.
Tip: While adding new groups you can mark more than one group by holding either the Ctrl or theShift key.
Step 3 — access rights:
Each user must have one of the three types of access rights.
- No access to administration
The user has no rights to access the WinRoute administration. This setting is commonly used for the majority of users.
- Read only access to administration
The user can access WinRoute. He or she can read records and settings but cannot edit them.
- Full access to administration
The user can read or edit all the records and settings and his or her rights are equal to the administrator rights (Admin). If there is at least one user with the full access to the administration, the default Admin account can be removed.
Advanced options:
- User can override WWW content rules
User can customize personal Web content filtering settings independently of the global configuration (for details see chapters 6.2 and 7.3).
- User can dial
User can disconnect or connect to dial lines defined with Kerio Administration Console or Web administrator interface ( — see chapter Chapter 7) in WinRoute.
- User can unlock URL rules
User will be allowed to unlock Web pages with forbidden content.
Step 4 — content rules
Within this step special content filter rules settings for individual users can be defined. Global rules (defined in the Content Rules tab in the Configuration / Content Filtering / HTTP Policy section) are used as default (when a new user account is defined). For details see chapter 6.2).
Note: Users who are allowed to “override content rules” can customize their settings through Kerio WinRoute Firewall's Web interface (read more in chapter 7.3).
The Edit button opens a dialog for editing user account parameters. This dialog has all the properties of the Add User dialog window described above. All the setting options are included in one window only.
User accounts can be either defined manually or imported from other sources by clicking on the Import button. Click on Import users from to choose a source from which accounts will be imported. The sources are as follows:
- NT Domain (Windows NT 4.0)
There is only one parameter to be specified — Windows NT domain name. The WinRoute host must belong to this domain.
Warning: Do not use this function to import users if the domain server is running under Windows 2000! In this case use the Active Directory as a source (see below).
- Active Directory (Windows 2000)
To import users from Microsoft Active Directory the following data must be specified:
Active Directory domain name — name of the domain from which user accounts will be imported (e.g. domain.com).
Import from server — name of the domain server (e.g. server.domain.com)
Login as user, Password — name and password of the user with an account in this domain. No special user rights are required.
If all the requirements are met (the information is correct, the server is available, etc.), clicking on the OK button will display a user list. Select the names of the users which are to be imported into WinRoute.
User accounts will authenticate according to their source. This means that accounts imported from an NT domain will be authenticated by Windows NT Domain and user accounts imported from Active Directory by Kerberos 5 (The Kerberos 5 authentication system is used in Active Directory).