Configuring Universal Plug-and-Play (UPnP)

Kerio Control supports UPnP protocol (Universal Plug-and-Play). This protocol enables client applications (i.e. Microsoft MSN Messenger) to detect the firewall and make a request for mapping of appropriate ports from the Internet for the particular host in the local network. Such mapping is always temporary — it is either applied until ports are released by the application (using UPnP messages) or until expiration of the certain timeout.

The required port must not collide with any existing mapped port or any traffic rule allowing access to the firewall from the Internet. Otherwise, the UPnP port mapping request will be denied.

Configuring the UPnP support

  1. In the administration interface, go to Security Settings > Zero-configuration Networking
  2. Click Enable UPnP service.
  3. If you want to log all packets passing through ports mapped with UPnP, click Log packets. Kerio Control logs the communication to the Filter log.
  4. If you want to log all connections, click Log connectionsKerio Control logs the communication to the Connection log.
  5. Click Apply.

Example

Apart from the fact that UPnP is a useful feature, it may also endanger network security, especially in case of networks with many users where the firewall could be controlled by too many users. The firewall administrator should consider carefully whether to prefer security or functionality of applications that require UPnP.

Using traffic policy you can limit usage of UPnP and enable it to certain IP addresses or certain users only.

The first rule allows UPnP only from UPnP Clients IP group. The second rule denies UPnP from other hosts (IP addresses).