How do I force users to log out of the firewall?

Kerio Control can use NTLMNT LAN Manager - Security protocols that provide authentication for Windows networks. authentication to allow users to automatically log onto the firewall when they are logged onto an ActiveDirectory or NT domain. However if the user does not manually logout from Kerio Control, his session remains active until the session timeout period expires. This timeout period is set to 2 hours by default.

If user logs out from Windows, he does not logout from Kerio Control. Once again the timeout is 2 hours. The consequence of this is that a user license will continue to be in use. If you have more users than licenses this may prevent a new user from being able to connect through Kerio Control. Furthermore the next user on that computer will appear to be the previous user. This may lead to incorrect logging of user activity.

It is possible to create a logout link and store it as a bookmark in order to logout from Kerio Control, or alternativelly it is possible to use some logout script to logout user automatically.

https://firewall_ip:4081/internal/logout

http://firewall_ip:4080/internal/logout

Details

It is possible to automate the Kerio Control logout process by using a script which is called during the logout from Windows. This method will be useable for any number of users who are sharing the same machine.

In Active DirectoryA directory service for Windows domain networks., the Directory Controller will allow to run a script during the user's logout. This script will perform the logout automatically for the user by calling a utility which makes the necessary HTTPHypertext Transfer Protocol - protocol for exchange of hypertext documents in HTML. request to the Kerio Control's webserver for logout.

The script needs to open this URL: http://firewall_ip:4080/internal/logout

Here is an example script which uses the freely available wget program.

  1. Download wget for Microsoft Windows.
  2. Copy the wget.exe file to each client computers.
  3. Using Active Directory, set a Group Policy to apply the wget.exe file during the logout procedure.
  1. Open Group policy settings: Active Directory Users and Groups > [your domain] > Properties > Group Policy tab, and select the "Open" button.
  2. In the Group Policy Management console, select your domain from the left-hand menu bar. Then select "Default Domain Policy" under the "Linked Group Policy Objects" tab. Right click and select "Edit".
  3. In the Group Policy Object editor, select User Configuration > Windows Settings > Scripts (Logon/Logoff).
  4. Create a new Logoff script by double clicking on "Logoff" and pressing the "Add" button.
  5. Use the following settings for your script - Program name: c:\wget.exe
  • Program parameters (http): -q http://firewall_ip:4080/internal/logout
  • Program parameters for https logout (server certificate is trusted):-q https://firewall_ip:4081/internal/logout
  • Program parameters for https logout (server certificate is not trusted, eg. in case of self signed certificate):--no-check-certificate -q https://firewall_ip:4081/internal/logout
  1. Save the script and exit all folders
  2. Under "Default Domain Policy" > Properties, you must enable "Enforced".
  1. Test the logoff script by logging a user out of windows and then checking Kerio Control to confirm the user has logged out. You can see this under Status > Hosts/Users.