Documentation for Kerio WinRoute

Demand Dial

If the WinRoute host is connected to the Internet via dial-up, WinRoute can automatically dial the connection when users attempt to access the Internet. WinRoute provides the following options of dialing/hanging control:

• Line is dialed when a request from the local network is received. This function is called Demand dial. For further description see below.

• Line is disconnected automatically if idle for a certain period (no data is transmitted in both directions). For a description of the automatic disconnection, refer to chapter Interfaces.

How demand dial works

First, the function of demand dial must be activated within the appropriate line (either permanently or during a defined time period). This may be defined in Configuration / Interfaces (for details see chapter Interfaces).

Second, there must be no default gateway in the operating system (no default gateway must be defined for any network adapter).

If WinRoute receives a packet from the local network, it will compare it with the system routing table. If no default route is available, WinRoute holds the packet in the cache and dials the appropriate line if the demand dial function is enabled. This creates an outgoing route in the routing table via which the packet will be sent.

The line may be either disconnected manually or automatically if idle for a certain time period.

Notes:

1. To ensure correct functionality of demand dialing there must be no default gateway set at network adapters. If there is a default gateway at any interface, packets to the Internet would be routed via this interface (no matter where it is actually connected to) and WinRoute would not dial the line.

2. If multiple demand dial RAS lines are defined in WinRoute, the one that was defined first will be used. WinRoute does not enable automatic selection of a line to be dialed.

3. Lines can be also dialed if this is defined by a static route in the routing table (refer to chapter Routing Table). If a static route via the dial-up is defined, the packet matching this route will dial the line. This line will not be used as the default route the Use default gateway on remote network option in the dial-up definition will be ignored.

4. According to the factors that affect total time since receiving the request until the line is dialed (i.e. line speed, time needed to dial the line, etc.) the client might consider the destination server unavailable (if the timeout expires) before a successful connection attempt. However, WinRoute always finishes dial attempts. In such cases, simply repeat the request, i.e. with the Refresh button in your browser.

Technical Peculiarities and Limitations

Demand dialing has its peculiarities and limitations. The limitations should be considered especially within designing and configuration of the network that will use WinRoute for connection and of the dial-up connected to the Internet.

1. Demand dial cannot be performed directly from the host where WinRoute is installed because it is initiated by WinRoute low-lever driver. This driver holds packets and decides whether the line should be dialed or not. If the line is disconnected and a packet is sent from the local host to the Internet, the packet will be dropped by the operating system before the WinRoute driver is able to capture it.

2. Typically the server is represented by the DNS name within traffic between clients and an Internet server. Therefore, the first packet sent by a client is represented by the DNS query that is intended to resolve a host name to an IP address.

   In this example, the DNS server is the WinRoute host (this is very common) and the line to the Internet is disconnected. A client's request on this DNS server is traffic within the local network and, therefore, it will not result in dialing the line. If the DNS server does not have the appropriate entry in the cache , it must forward the request to another server on the Internet. The packet is forwarded to the Internet by the local DNS client that is run at the WinRoute host. This packet cannot be held and it will not cause dialing of the line. Therefore, the DNS request cannot be answered and the the traffic cannot continue.

   For these reasons, WinRoute DNS Forwarder enables automatic dialing (if the DNS server cannot respond to the request itself). This function is dependent on demand dial if the demand dial function is disabled, the DNS Forwarder will not dial the line.

   Note: If the DNS server is located on another host within the local network or clients within the local network use an Internet DNS server, then the limitation is irrelevant and the dialing will be available. If clients' DNS server is located on the Internet, the line will be dialed upon a client's DNS query. If a local DNS server is used, the line will be dialed upon a query sent by this server to the Internet (the default gateway of the host where the DNS server is running must be set to the IP address of the WinRoute host).

3. It can be easily understood through the last point that if the DNS server is to be running at the WinRoute host, it must be represented by DNS Forwarder because it can dial the line if necessary.

   If there is a domain that is based on Active Directory in the Windows 2000 local network, Microsoft DNS server must be used as communication with Active Directory is performed according to special types of DNS requests. Microsoft DNS server does not support automatic dialing. Moreover, it cannot be used at the same host as DNS Forwarder as it would cause collision of ports.

   As understood from the facts above, if the Internet connection is to be available via dial-up, WinRoute cannot be used at the same host where Windows 2000 server Active Directory and Microsoft DNS are running.

4. If DNS Forwarder is used, WinRoute can dial as a response to a client's request if the following conditions are met:

   • Destination server must be defined by DNS name so that the application can create a DNS query.

   • In the operating system, set the primary DNS server to the IP address of the firewall). In Windows operating system, go to TCP/IP properties and set the IP address of this interface as the primary DNS.

   • DNS Forwarder must be configured to forward requests to one of the defined DNS servers (the Forward queries to the specified DNS server(s) option). Automatic detection of DNS servers are not available. For details refer to chapter DNS Forwarder.

5. The Proxy server in WinRoute (see chapter Proxy server) also provides direct dial-up connections. A special page providing information on the connection process is opened (the page is refreshed in short periods). Upon a successful connection, the browser is redirected to the specified Website.

Setting Rules for Demand Dial

Demand dial functions may cause unintentional dialing. It's usually caused by DNS queries that are handled by the DNS Forwarder The following causes apply:

• User host generates a DNS query in the absence of the user. This traffic attempt may be a banner from a local HTML page or automatic update of an installed application.

• DNS Forwarder performs dialing in response to requests of names of local hosts. Define DNS for the local domain properly (use the hosts system file of the WinRoute host for details see chapter DNS Forwarder).

Note: In WinRoute, unwanted traffic may be blocked. However, for security reasons it is recommended to detect the root of the problem (i.e. use antivirus to secure the workstation, etc.).

In Configuration / Demand Dial within Kerio Administration Console, detailed rules for dialing certain DNS names may be defined.

In this section you can create a rule list of DNS names.

Either whole DNS name or only its end or beginning completed by an asterisk (*) may be entered. An asterisk may stand for any number of characters.

In Actions you can select from the Dial or Ignore options. Use the second option to block dialing of the line in response to a query on the DNS name.

Rule lists are searched downwards (rule order can be modified with the arrows at the right side of the window). When the system detects the first rule that meets all requirements, the desired action is executed and the search is stopped. All DNS names missing a suitable rule will be dialed automatically by DNS Forwarder when demanded.

The Dial function can be used for creating advanced and more complex rules. For example, dial can be permitted for one name within the domain and denied for the others (see the figure).

Dial of local DNS names

Local DNS names are names of hosts within the domain (names that do not include a domain).

Example: The local domain is called company.com. The host is called pc1. The full name of the host is pc1.company.com whereas local name in this domain is pc1.

Local names are usually stored in the database of the local DNS server (in this example, the names are stored in the hosts file at the WinRoute host that uses DNS Forwarder). Set by default, DNS Forwarder does not dial these names as names are considered non-existent unless they can be found in the local DNS database.

If the primary server of the local domain is located outside of the local network, it is necessary that the DNS Forwarder also dials the line if requests come from these names. Activate the Enable dialing for local DNS names option in the Other settings tab to enable this (at the top of the Demand Dial dialog window).