Sql error 26 kerio

sql error 26 kerio

Hire the best freelance Microsoft SQL Server Administrators near Lahore on proactive monitoring dashboards, daily error report extracted from SQL. 26. Setting MyKerio cloud service. error.log contains critical errors, such as that the Kerio VPN Client Microsoft SQL services are available. Total activity 2772; Last activity 2 days ago; Member since June 26, 2014 This error is normally occurring if you have a proxy server.

You can watch a thematic video

SQL Network Interfaces, error: 26 – Error Locating Server/Instance Specified

Sql error 26 kerio - really. And

What's new in GFI Archiver

Version 15.2

Released: August 11, 2021

Release notes

Fixes:

  • Deleted users are not found when searching in the Access Control or Archive tabs
  • User is not able to preview calendar items
  • Inline images in archived messages are not displayed
  • In Microsoft Outlook, the Outlook Connector window stays on top after opening the search menu
  • Dates are displayed in the English format even when another language is selected
  • On the Archive tab, the date and time shown for an email should match the date and time when it was archived in the local time
  • In GFI Directory, deleted users are not found when searching in the Access Control or Archive tabs
  • All emails should be previewed, downloaded, or sent to the designated email address without errors
  • Permission changes for deleting items should be reflected
  • Deleted calendar items should be removed from the calendar
  • User traffic reports for all users and for an individual user show different values
  • The version check says that the version is up to date even on Archiver versions lower than 15.1
  • Errors appear when journaling some email messages via Outlook
  • Upgrade the Telerik libraries to 2021.2
  • Archiver Import/Export tool fails to import large mailboxes from Microsoft Exchange
  • When viewing archived items, deleting an archived item does not remove it from the list
  • JavaScript errors are displayed in the browser console when viewing web pages in the browser

Downloads and Upgrades:

For product downloads and information about upgrading GFI Archiver, visit the GFI Upgrade Center.

If you have additional queries about these changes, please do not hesitate to contact us or an authorized GFI Partner directly.


Version 15.1

Released: November 26, 2020

Release notes

New:

  • Support for OAuth Authentication for Microsoft 365

Fixes:

  • "Restore x" panel is not visible inside the Email window after clicking "Restore to Mailbox" for the 1st time (SPA UI)
  • Mass Import from Microsoft 365 fails
  • Outlook auto-archive function crashes when the Outlook connector is enabled
  • Usernames or Passwords with special characters are unable to login (SPA UI)
  • Upgrading GFI Archiver to Version 15 on an SBS 2011 breaks Exchange 2010 Management Shell
  • Different results between legacy and SPA user interface
  • Several minor additional fixes to SPA UI
  • In a non-Exchange environment, IET force closes when importing a PST for a user without a mail* attribute
  • Users without access control permissions can view email subjects of other users when using the search in the SPA UI

For more information on how to set up GFI Archiver with Microsoft 365 please see here.


Version 15

Released: March 19, 2020

Release notes

New:

  • Brand new client-side HTML5 desktop web interface to browse archived items
  • Brand new responsive HTML5 web interface for mobile device access to browse archived items.
  • Generate MailInsight reports from any device and gets results directly in your mailbox.
  • Easy to use web interface compatible with the latest web technologies

Fixes:

  • Imported emails from PST using IET does not display the sender name
  • Search / Advanced / Excludes filters don't work using meta params
  • Import Export Tool can't connect to mailboxes using only TLS1.2
  • BCC recipients are not being assigned ownership
  • Index rebuilding loop, infinite rebuild or showing as corrupt if merge operations fail when rebuilding multiple large stores
  • Any missing index.xml causes index credential validation to fail
  • Mailbox Restore Tool help URLs not working
  • Folder Structure Retrieval wizard fails with "Failed to start process while testing connection"
  • Attaching a store fails when the index folder contains at least 1 file with the exception of index.xml
  • Search / Simple / Difference in English vs Japanese version
  • Advanced search - including and excluding criteria based on email attachment parameters not working
  • Auditing does not add entries to Access Control table if the same group is added more than once under Configuration-Access Control-Configure Shared Mailboxes
  • Mailbox Restore Tool export ends at a particular calendar item without an itemType in arc table
  • Emails dropped for valid users in the inclusion list when a security group is changed to a disallowed distribution group in AD
  • SMTP client is unable to STARTTLS when only TLS1.2 is allowed
  • IET Export shows 1 result even without showing it on the records
  • Web Services invocation throws an error
  • Import-Export tool printing of emails does not show the list of all recipients in the BCC field
  • HealthMailboxes included in license count when ms-Exch-Recipient-Type-Details property isn't returned by the DC or a timeout with DC occurred
  • Mailbox Folder Structure is not imported into Archiver
  • Additional minor fixes and improvements

Note: v15 GFI Archiver license keys are required to activate GFI Archiver v15. The legacy web interface is still accessible under http://<server>/Archiver while the new interface is available under http://<server>/ArchiverSpa

Administrative configuration access is still available via the legacy configuration and that remains unchanged.


Version 14.2

Released: May 31, 2019

Release notes

Fixes:

  • Contains Document / Attachment Advanced search leads to error
  • Outlook Connector does not synchronize new emails until store service restart
  • Issues with Mail Servers to Archive wizard on Office 365
  • Outlook Connector synchronizes only latest store
  • User list not populating in the advanced search
  • Import/Export - Export progress is not pausing even though the Pause button is clicked
  • Translation issue in the Japanese version (Search fields)
  • Web Services GetMessage API call - 401 access denied
  • EWS AutoDiscovery fails when TLS1.2 is enforced
  • Delete button not hidden even if no permission for it to be visible

Version 14.1

Released: December 18, 2018

Release notes

Fixes:

  • Journal connection via EWS not working when TLS1.0 is disabled on Archiver, Exchange or both
  • Notifications are failing to be sent to GFI Archiver Administrator
  • No email report is sent when trying to send immediately or schedule a report for Job Search Report
  • Filter toolbar is disabled for 'Data Integrity' report page.
  • Records not displayed in User Audit Trail when Group by User view is selected
  • Journal connection via EWS not working when TLS1.0 is disabled and using manual host
  • Export to PST hangs after 100 emails
  • Install log filename referencing previous major version
  • On editing scheduled "Phrase Search" report its "Chart Type" gets changed
  • Import Export Tool does not sort store selection
  • Import Export Tool fails to export to pst with Folder Structure enabled in stores with duplicate tagIds
  • Import Export Tool hangs when trying to import an item with an unreadable character in the header
  • Outlook Connector Script Error: "Unable to get property 'hide' of undefined or null reference" in search item context menu
  • UI Advanced search unknown error
  • GetUsersTimestamp high execution counts impacting store service caching performance

Version 14

Released: October 9, 2018

Release notes

Notes:

  • Change in the licensing model. GFI Archiver is a subscription service product. Archiving & Searching is blocked if subscription expires

Fixes:

  • Import Export Tool skips folders due to "server cannot service this request right now"
  • Import Export Tool limits search to 100 items and even with more than 100 returned it exports maximum of 100 items
  • Audit Database Wizard cannot pass “Enable tracing” screen on Chrome Browser
  • Office 365 journaling moves all items to the failed folder or hangs due to "SendMeetingCancellations attribute is required for Calendar items"
  • Inconsistent UI search results
  • Mailbox Restore - export to pst ends prematurely
  • Archive Restrictions - adding email address of a security group saves a random member instead

Version 12.4

Released: June 12, 2018

GFI Archiver 12.4 includes search speed improvements of up to 2x from the previous version. This release also adds support for Microsoft SQL Server 2017 and improvements to stability and functionality of the product making it more reliable and easier to use.

Note: the next release of GFI Archiver will no longer support Windows Server 2008, Microsoft SQL Server 2008 R2, and Microsoft Exchange 2007

Release notes

New:

  • Search speed improvements to Quick Search
  • Search speed improvements to Simple Search
  • Search speed improvements to Advance Search
  • Support for Microsoft SQL Server 2017

Fixes:

  • Import Export Tool: pst import failed items with no reason offered
  • Sync Files are displayed/downloaded with size = 0 bytes
  • Error displayed on Configure IMAP window
  • ExportSQLRawData fails to export data from SQL Full
  • Context menu not available on archived items
  • Import Export Tool: import from Exchange inbox - Error: "Value of '1478' is not valid for 'Value'"
  • Specific item causes all items (even valid ones) to fail to be archived
  • Auto-import via Archive Assistant is not working
  • MailInsights Reports not getting scheduled and generated after 30 reports
  • Archiving operations do not work, when Archive Assistant is installed in %appdata% being redirected via GPO to a network share.
  • When attaching a store from the UI, Archived Data Location verification fails due to extra white spaces in path
  • Mailbox Restore - "Error Listing Users" when searching for users
  • Import Export Tool: hangs when exporting huge number of emails
  • GFI Archiver Import Export tool fails to respond properly
  • Item "Mailbox Folder Structure Retrieval" is not being sorted correctly in Auditing page
  • Error when trying to export emails in MSG format
  • Archive page panels do not expand/collapse/restore properly
  • Search results should take up all the allotted horizontal space (as in View mode)
  • Duplicate "Forward" option displayed in Actions list
  • UI Issue - Border for list of scheduled reports is static

IMPORTANT - Changes to System Requirements

Changes to installation requirements

  • 64-bit versions of supported operating systems is required

Support Added

  • Microsoft SQL Server 2017

Upcoming End of Support

GFI Archiver version 12.4 is the last version that will support the following:

  • Windows Server 2008
  • Microsoft SQL Server 2008 R2
  • Microsoft Exchange 2007

Review the GFI Archiver manual for complete system requirements.


Version 12.3

Released: January 23, 2018

The latest version of GFI Archiver version 12.3 is now available for download.

This new version of GFI Archiver brings updates to individual product components for improved compatibility and search performance. This release focused on requested fixes and improvements to GFI Archiver.

See the Release Notes below for a complete list of updates.

New/updated features and improvements:

  • Updated dtSearch Engine
  • Updated Redemption component

Fixes:

  • Slow download for journal due to Calendar events parsing errors
  • Custom date issue in Homepage for mailflow chart

License Key:
License keys for GFI Archiver 12.0 are still supported for GFI Archiver 12.3 and no key updates are required.


Version 12.2

Released: June 27, 2017

This new version of GFI Archiver is a maintenance release that includes several bug fixes and improvements. As well as addresses customer requested fixes. Our focus for this release was on stability improvements and product quality to ensure customer satisfaction.

See the Release Notes below for a complete list of updates.

Fixes:

  • Auditing Report for Retention Policies is not working
  • Archiver is checking the date/time when invitation was sent not the actual time of the event
  • Auditing > Configuration with Configuration Section as "Security": New and Old entries format is not correct
  • Error.Ada.DirectoryFailed in Eventlog after patch
  • No Calendar Items displayed on "Display calendar view"
  • Permission "Connect using IMAP" is not enabled for Auditor role
  • Unable to archive Calendar items
  • Normal Retention is working but no audit entries displayed
  • Unable to download email in MSG format
  • Retention Rule does not run, showing .NET error
  • Mailinsight Report (Email Responsiveness) does not show emails replied under 2 minutes (1 min 59 sec)
  • Custom Date Range is not working on Advanced Search with Archiver DB Archive Stores
  • Unable to download from Tobit Journal - IMAP
  • Calendar items not showing in Calendar View

License Key:
License keys for GFI Archiver are still supported and no key updates are required.


Version 12.1

Released: January 24, 2017

GFI Archiver 12.1 (build 20161215) is now available for download. Upgrading from previous GFI Archiver versions is supported and handled automatically.

New/updated features and improvements:

  • Search engine update enabling much faster searches in the archive as well as the attachments
  • Better support for SSL/TLS connections
  • Windows Server 2016 Support.

Issues Resolved:

  • Start menu links to troubleshooter.exe, instead of logcollector.exe
  • Account list does not hold current archive store selected in archive page
  • Archive Assistant not working with %appdata% being redirected via GPO to a network share
  • Violation of PRIMARY KEY constraint 'PK_arc_msg_tags' when MAUpdateUsers is consolidating users
  • Other minor fixes.

NOTE: Microsoft Windows 2003 and Microsoft Exchange 2003 is not supported.


Version 12

Released: February 16, 2016

GFI Software™ maintains its commitment towards ensuring our solutions are compatible with the latest Microsoft® platforms as well as investing towards continuous improvement of its products and solutions. The release of the latest version of GFI Archiver 12 does this and more. 

This new updated version includes:

  • Support for new Microsoft Platforms such as Microsoft Exchange® 2016, Microsoft Outlook 2016 and Microsoft Windows 10.
  • Improved search functionality, giving quicker results to end users and administrators conducting a search query.
  • Additional bug fixes and enhancements.

Version 2015 SR1

Released: February 24, 2015

GFI Archiver 2015 SR1 ships with the following updated features and improvements.

Update:

  • Search and Index Language Analyzer can be turned OFF and ON

MailInsights Fixes:

  • When using GFI Directory Service or Office 365 some MailInsights reports were not accurate if users had a proxy email address.
  • Under certain conditions, schedule is not being saved for Monthly and Weekly scope.
  • In User Traffic Report when having large volume of users.

Search Fixes:

  • Search for certain Japanese and Chinese characters yields no results.
  • Searching for strings which contain the . (period) character

Other Fixes:

  • FAA failed to use the correct file path if it contained UNICODE characters.
  • FAA and Outlook Connector delayed for hours to synchronize mailbox for the first time because of time zone difference.
  • IMAP: MArc.IMAP.exe crashes when IMAP client requests certain emails
  • Microsoft Outlook crashes when Outlook Connector is installed aside of Microsoft Dynamics CRM Outlook Add-In.
  • VSS service not removed successfully during uninstall phase will cause installation to fail, roll back and leave MARC uninstalled
  • Other minor fixes.

Version 2015

Released: November 24, 2014

GFI Archiver enables companies to archive and manage their email, calendar and file history in one place and provides easy access to the data when they need it. GFI Archiver is an essential addition to any backup strategy because it keeps a readily available version of users’ email conversations as well as important files. 

The new version of GFI Archiver 2015 includes:

  • GFI Directory, an Active Directory replacement for GFI Archiver. Organizations who do not have Microsoft Active Directory can use GFI Archiver simply by installing it in GFI Directory mode.
  • History retention provides easy control over the storage of different versions of archived files.
  • Archive stores management utilities are now available as a separate download for all administrators who do maintenance jobs on their databases, including exporting to a new database and splitting older archive stores into smaller ones.

By continuing to browse this site, you give consent for cookies to be used. For more details please read our Cookie Policy

Accept

GFI Software

Administrator's Guide - Kerio Software Archive

Kerio Control

Administrator’s Guide

Kerio Technologies


© Kerio Technologies s.r.o. All rights reserved.

This guide provides detailed description on configuration and administration of Kerio

Control, version 7.0.1. All additional modifications and updates reserved. User interfaces

Kerio StaR and Kerio Clientless SSL-VPN are focused in a standalone document, Kerio Control

— User’s Guide. The Kerio VPN Client application is described in a stand-alone document

Kerio VPN Client — User’s Guide.

For current version of the product, go to http://www.kerio.com/firewall/download. For other

documents addressing the product, see http://www.kerio.com/firewall/manual.

Information regarding registered trademarks and trademarks are provided in appendix A.

Products Kerio Control and Kerio VPN Client include open source software. To view the list

of open source items included, refer to attachment B.


Contents

1 Quick Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.1 What’s new in 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.2 Conflicting software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.3 System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.4 Installation - Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.5 Initial configuration wizard (Windows) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.6 Upgrade and Uninstallation - Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2.7 Installation - Software Appliance and VMware Virtual Appliance . . . . . . . . . . . 22

2.8 Upgrade - Software Appliance / VMware Virtual Appliance . . . . . . . . . . . . . . . . 26

2.9 Kerio Control components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2.10 Kerio Control Engine Monitor (Windows) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

2.11 The firewall’s console (Software Appliance / VMware Virtual Appliance) . . . . 28

3 Kerio Control administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

3.1 Kerio Control Administration web interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.2 Administration Console - the main window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3.3 Administration Console - view preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

4 License and Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

4.1 License types (optional components) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

4.2 Deciding on a number of users (licenses) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

4.3 License information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

4.4 Registration of the product in the Administration Console . . . . . . . . . . . . . . . . 41

4.5 Product registration at the website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

4.6 Subscription / Update Expiration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

5 Network interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

5.1 Groups of interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

5.2 Special interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

5.3 Viewing and editing interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

5.4 Adding new interface (Software Appliance / VMware Virtual Appliance) . . . . 56

5.5 Advanced dial-up settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

5.6 Supportive scripts for link control (Windows) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

3


6 Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

6.1 Persistent connection with a single link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

6.2 Connection with a single leased link - dial on demand . . . . . . . . . . . . . . . . . . . . . 64

6.3 Connection Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

6.4 Network Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

7 Traffic Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

7.1 Network Rules Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

7.2 How traffic rules work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

7.3 Definition of Custom Traffic Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

7.4 Basic Traffic Rule Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

7.5 Policy routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

7.6 User accounts and groups in traffic rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

7.7 Partial Retirement of Protocol Inspector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

7.8 Use of Full cone NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

7.9 Media hairpinning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

8 Firewall and Intrusion Prevention System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

8.1 Network intrusion prevention system (IPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

8.2 MAC address filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

8.3 Special Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

8.4 P2P Eliminator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

9 Configuration of network services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

9.1 DNS module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

9.2 DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

9.3 Dynamic DNS for public IP address of the firewall . . . . . . . . . . . . . . . . . . . . . . . 142

9.4 Proxy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

9.5 HTTP cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

10 Bandwidth Limiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

10.1 How the bandwidth limiter works and how to use it . . . . . . . . . . . . . . . . . . . . . 153

10.2 Bandwidth Limiter configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

10.3 Detection of connections with large data volume transferred . . . . . . . . . . . . 158

11 User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

11.1 Firewall User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

12 Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

12.1 Web interface and certificate settings information . . . . . . . . . . . . . . . . . . . . . . . 164

12.2 User authentication at the web interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

4


13 HTTP and FTP filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

13.1 Conditions for HTTP and FTP filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

13.2 URL Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

13.3 Content Rating System (Kerio Web Filter) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

13.4 Web content filtering by word occurrence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

13.5 FTP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

14 Antivirus control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

14.1 Conditions and limitations of antivirus scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

14.2 How to choose and setup antiviruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

14.3 HTTP and FTP scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

14.4 Email scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

14.5 Scanning of files transferred via Clientless SSL-VPN (Windows) . . . . . . . . . . . 202

15 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

15.1 IP Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

15.2 Time Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

15.3 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

15.4 URL Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

16 User Accounts and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

16.1 Viewing and definitions of user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

16.2 Local user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

16.3 Local user database: external authentication and import of accounts . . . . . 227

16.4 User accounts in Active Directory — domain mapping . . . . . . . . . . . . . . . . . . . 229

16.5 User groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

17 Administrative settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

17.1 System configuration (Software Appliance / VMware Virtual Appliance) . . 239

17.2 Setting Remote Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

17.3 Update Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

18 Other settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

18.1 Routing table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

18.2 Universal Plug-and-Play (UPnP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

18.3 Relay SMTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

19 Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

19.1 Active hosts and connected users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

19.2 Network connections overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

19.3 List of connected VPN clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

19.4 Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

5


20 Basic statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

20.1 Volume of transferred data and quota usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

20.2 Interface statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

21 Kerio StaR - statistics and reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

21.1 Monitoring and storage of statistic data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

21.2 Settings for statistics and quota . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

21.3 Connection to StaR and viewing statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

22 Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

22.1 Log settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

22.2 Logs Context Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

22.3 Alert Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

22.4 Config Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

22.5 Connection Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

22.6 Debug Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

22.7 Dial Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

22.8 Error Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

22.9 Filter Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

22.10 Http log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

22.11 Security Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

22.12 Sslvpn Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

22.13 Warning Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

22.14 Web Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

23 Kerio VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

23.1 VPN Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

23.2 Configuration of VPN clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

23.3 Interconnection of two private networks via the Internet (VPN tunnel) . . . 315

23.4 Exchange of routing information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

23.5 Example of Kerio VPN configuration: company with a filial office . . . . . . . . . 322

23.6 Example of a more complex Kerio VPN configuration . . . . . . . . . . . . . . . . . . . . 335

24 Kerio Clientless SSL-VPN (Windows) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

24.1 Kerio Control SSL-VPN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

24.2 Usage of the SSL-VPN interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

25 Specific settings and troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

25.1 Configuration Backup and Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

25.2 Configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

25.3 Automatic user authentication using NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

25.4 FTP over Kerio Control proxy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

25.5 Internet links dialed on demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

6


26 Technical support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

26.1 Essential Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

26.2 Tested in Beta version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

A Legal Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

B Used open source items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

Glossary of terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390

7


Chapter 1

Quick Checklist

In this chapter you can find a brief guide for a quick setup of Kerio Control. After this setup

the firewall should be immediately available and able to share your Internet connection and

protect your local network. For a detailed guide refer to the separate Kerio Control — Step-by-

Step Configuration guide.

If you are unsure about any element of Kerio Control, simply look up an appropriate chapter in

the manual. For information about your Internet connection (such as your IP address, default

gateway, DNS server, etc.) contact your ISP.

Note: In this guide, the expression firewall represents the host where Kerio Control is (or will

be) installed.

1. The firewall needs at least one interface connected to the local network (e.g. an Ethernet

or WiFi network adapter). For Internet connection, another network adapter, USB ADSL

modem, PPPoE, dial up or another facility is needed.

On Windows, test functionality of the Internet connection and of traffic among hosts within

the local network before you run the Kerio control installation. This test will reduce

possible problems with debugging and error detections.

2. Run Kerio Control installation and in the wizard provide required basic parameters (for

details, see chapter 2.4 or 2.7).

3. Use Kerio Administration Console to connect to the firewall (see chapter 3).

4. Set interface groups and basic traffic rules using the Network Rules Wizard (see

chapter 7.1).

5. Run the DHCP server and set required IP ranges including their parameters (subnet mask,

default gateway, DNS server address/domain name). For details, see chapter 9.2.

TIP: DHCP server can be configured automatically in accordance with LAN interface

parameters. Automatic configuration of DHCP server can now be enabled only in the

Kerio Control Administration web interface (see chapter 3.1).

6. Check DNS module settings. Define the local DNS domain if you intend to use the hosts

file and/or the DHCP server table. For details, see chapter 9.1.

7. Set user mapping from the Active Directory domain or create/import local user accounts

and groups. Set user access rights. For details see chapter 16.

8


8. Enable the intrusion prevention system (see chapter 8.1).

9. Select an antivirus and define types of objects that will be scanned.

If you choose the integrated Sophos antivirus application, check automatic update settings

and edit them if necessary.

External antivirus must be installed before it is set in Kerio Control, otherwise it is not

available in the combo box.

10. Define IP groups (chapter 15.1), time ranges (chapter 15.2) and URL groups (chapter 15.4),

that will be used during rules definition (refer to chapter 15.2).

11. Create URL rules (chapter 13.2). Set Kerio Web Filter (chapter 13.3) and automatic

configuration of web browsers (chapter 9.5).

12. Define FTP rules (chapter 13.5).

13. Using one of the following methods set TCP/IP parameters for the network adapter of

individual LAN clients:

• Automatic configuration — enable automatic DHCP configuration (set by default

on most operating systems). Do not set any other parameters.

• Manual configuration — define IP address, subnet mask, default gateway address,

DNS server address and local domain name.

Use one of the following methods to set the Web browser at each workstation:

• Automatic configuration — activate the Automatically detect settings option (Internet

Explorer) or specify URL for automatic configuration (other types of browsers).

For details, refer to chapter 9.5.

• Manual configuration — select type of connection via the local network or define

IP address and appropriate proxy server port (see chapter 9.4).

9


Chapter 2

Introduction

2.1 What’s new in 7.0

Kerio Control 7.0 brings the following improvements:

New product name — Kerio Control

Kerio WinRoute Firewall is no longer just a network firewall. New features added in

versions 6.x and 7.0 make the software a complex tool combining features for local

network security, remote network access as well as user Internet access control and

monitoring. The name Kerio Control is derived from the user access control feature.

Intrusion Detection and Prevention System (IPS/IDS)

Kerio Control now integrates one of the most top used intrusion detection and prevention

systems — Snort. This system enhances security provided by the firewall and makes Kerio

Control a UTM solution (Unified Threat Management).

More details can be found in chapter 8.1.

New integrated antivirus engine — Sophos

Kerio Control includes an all-new antivirus engine — Sophos. This scan engine offers

extreme performance and includes a variety of innovative technologies designed to

eliminate the threat of malware.

The antivirus will run as a 30 day trial upon initial installation. When upgrading, the

McAfee engine will automatically be replaced by the new Sophos engine.

More details can be found in chapter 14.

MAC address filtering

This new module in the firewall enables network traffic filtering by physical addresses

(MAC addresses) of network devices. Filtering of physical address helps for example

prevent users from undesirable connections to the network or get around the firewall

traffic policy by changing IP address of their device.

More details can be found in chapter 8.2.

New licensing policy

Licensing policy for Kerio Control has been changed.

licenses for customized number of users.

Refer to chapter 4 for more information.

Now it is possible to purchase

10


2.2 Conflicting software

Warning:

Since 6.x, some configuration parameters have been changed in version for 7.0.0. Although

updates are still performed automatically and seamlessly, it is necessary to mind these tiny

changes. Detailed information:

• Edition for Windows — see chapter 2.6,

• Edition for Software Appliance / VMware Virtual Appliance — see chapter 2.8.

After update, it is recommended to check Warning log carefully (see chapter 22.13).

2.2 Conflicting software

Kerio Control can be run with most of common applications. However, there are certain

applications that should not be run at the same host as WinRoute for this could result in

collisions.

The computer where Kerio Control is installed (the host) can be also used as a workstation.

However, it is not recommended — user interaction may affect performance of the operating

system which affects Kerio Control performance badly.

Collision of low-level drivers

Kerio Control collides with system services and applications the low-level drivers of

whose use a similar or an identical technology. The security log contains the following

types of services and applications:

• The Internet Connection Firewall / Internet Connection Sharing system service.

Kerio Control can detect and automatically disable this service.

• The system service Routing and Remote Access Service (RRAS) in Windows Server

operating systems. This service allows also sharing of Internet connection (NAT).

Kerio Control can detect if NAT is active in the RRAS service; if it is, a warning

is displayed. In reaction to the alert message, the server administrator should

disable NAT in the RRAS configuration.

If NAT is not active, collisions should be avoided and Kerio Control can be used

hand in hand with the RRAS service.

• Network firewalls — e.g. Microsoft ISA Server.

• Personal firewalls, such as Sunbelt Personal Firewall, Zone Alarm, Norton Personal

Firewall, etc.

Software designed to create virtual private networks (VPN) — i.e. software

applications developed by the following companies: CheckPoint, Cisco Systems,

Nortel, etc. There are many applications of this type and their features vary from

vendor to vendor.

Under proper circumstances, use of the VPN solution included in Kerio Control

is recommended (for details see chapter 23). Otherwise, we recommend you to

11


Introduction

test a particular VPN server or VPN client with Kerio Control trial version or to

contact our technical support (see chapter 26).

Note: VPN implementation included in Windows operating system (based on the

PPTP protocol) is supported by Kerio Control.

Port collision

Applications that use the same ports as the firewall cannot be run at the Kerio Control

host (or the configuration of the ports must be modified).

If all services are running, Kerio Control uses the following ports:

• 53/UDP — DNS module,

• 67/UDP — DHCP server,

• 1900/UDP — the SSDP Discovery service,

• 2869/TCP — the UPnP Host service.

The SSDP Discovery and UPnP Host services are included in the UPnP support

(refer to chapter 18.2).

• 4080/TCP — non-secured firewall’s web interface (see chapter 12). This service

cannot be disabled.

• 4081/TCP — secured (SSL-encrypted) version of the firewall’s web interface (see

chapter 12). This service cannot be disabled.

• 44333/TCP+UDP — traffic between Kerio Administration Console and the Kerio

Control Engine. This service cannot be disabled.

The following services use corresponding ports by default. Ports for these services can

be changed.

• 443/TCP — server of the SSL-VPN interface (only in Kerio Control on Windows

— see chapter 24),

• 3128/TCP — HTTP proxy server (see chapter 9.4),

• 4090/TCP+UDP — proprietary VPN server (for details refer to chapter 23).

Antivirus applications

Most of the modern desktop antivirus programs (antivirus applications designed to

protect desktop workstations) scans also network traffic — typically HTTP, FTP and email

protocols. Kerio Control also provides with this feature which may cause collisions.

Therefore it is recommended to install a server version of your antivirus program on

the Kerio Control host. The server version of the antivirus can also be used to scan Kerio

Control’s network traffic or as an additional check to the integrated antivirus Sophos (for

details, see chapter 14).

If the antivirus program includes so called realtime file protection (automatic scan of all

read and written files), it is necessary to exclude directories cache (HTTP cache in Kerio

Control see chapter 9.5) and tmp (used for antivirus check). If Kerio Control uses an

antivirus to check objects downloaded via HTTP or FTP protocols (see chapter 14.3), the

cache directory can be excluded with no risk — files in this directory have already been

checked by the antivirus.

The Sophos integrated antivirus plug-in does not interact with antivirus application

installed on the Kerio Control host (provided that all the conditions described above are

12


2.3 System requirements

met).

2.3 System requirements

The minimum hardware configuration recommended for Kerio Control:

• CPU 1 GHz,

• 1 GB RAM,

• At least one network interface.

For Windows:

• 100 MB free disk space for installation of Kerio Control.

• Free disk space for statistics (see chapter 21), HTTP cache (see chapter 9.5) and logs

(in accordance with their frequency and logging level settings — see chapter 22).

For security reasons, all this data is saved in the application’s installation directory

subfolders. It is not possible to use another partition or disk.

• to keep the installed product (especially its configuration files) as secure as possible,

it is recommended to use the NTFS file system.

For Kerio Control Software Appliance:

• Minimum 3 GB hard disk.

• No operating system is required to be installed on the computer. Any existing

operating system will be removed from the computer.

For Kerio Control VMware Virtual Appliance:

• VMware Player, VMware Workstation or VMware Server.

• 3 GB free disk space.

The following web browsers can be used to access Kerio Control web services (Kerio Control

Administration — see chapter 3, Kerio StaR — see chapter 21 and Kerio SSL-VPN — see

chapter 24):

• Internet Explorer 7 or higher,

• Firefox 3 or higher,

• Safari 3 or higher.

2.4 Installation - Windows

Installation packages

Kerio Control is distributed in two editions: one is for 32-bit systems and the other for 64-bit

systems (see the product’s download page: http://www.kerio.com/firewall/download).

13


Introduction

The 32-bit edition (the “win32” installation package) supports the following operating systems:

• Windows 2000,

• Windows XP (32 bit),

• Windows Server 2003 (32 bit),

• Windows Vista (32 bit),

• Windows Server 2008 (32 bit),

• Windows 7 (32 bit).

The 64-bit edition (the “win64” installation package) supports the following operating systems:

• Windows XP (64 bit),

• Windows Server 2003 (64 bit),

• Windows Vista (64 bit),

• Windows Server 2008 (64 bit),

• Windows 7 (64 bit).

Older versions of Windows operating systems are not supported.

Note:

1. Kerio Control installation packages include the Kerio Administration Console. The separate

Kerio Administration Console installation package (file kerio-control-admin*.exe) is

designed for full remote administration from another host. This package is identical both

for 32-bit and 64-bit Windows systems. For details on Kerio Control administration, see

chapter 3.

2. For correct functionality of the Kerio StaR interface (see chapter 21), it is necessary that

the Kerio Control host’s operating system supports all languages that would be used in

the Kerio StaR interface. Some languages (Chinese, Japanese, etc.) may require installation

of supportive files. For details, refer to documents regarding the corresponding operating

system.

Steps to be taken before the installation

Install Kerio Control on a computer which is used as a gateway connecting the local network

and the Internet. This computer must include at least one interface connected to the local

network (Ethernet, WiFi, etc.) and at least one interface connected to the Internet. You can use

either a network adapter (Ethernet, WiFi, etc.) or a modem (analog, ISDN, etc.) as an Internet

interface.

We recommend you to check through the following items before you run Kerio Control

installation:

• Time of the operating system should be set correctly (for timely operating system and

antivirus upgrades, etc.),

• The latest service packs and any security updates should be applied,

14


2.4 Installation - Windows

• TCP/IP parameters should be set for all available network adapters,

• All network connections (both to the local network and to the Internet) should function

properly. You can use for example the ping command to detect time that is needed

for connections.

These checks and pre-installation tests may protect you from later problems and

complications.

Note: Basic installation of all supported operating systems include all components required

for smooth functionality of Kerio Control.

Installation and Basic Configuration Guide

Once the installation program is launched (i.e. by kerio-control-7.0.0-1000-win32.exe),

it is possible to select a language for the installation wizard. Language selection affects only

the installation, language of the user interface can then be set separately for individual Kerio

Control components.

In the installation wizard, you can choose either Full or Custom installation. Custom mode

will let you select optional components of the program:

Figure 2.1

Installation — customization by selecting optional components

15


Introduction

Kerio Control Engine — core of the application.

• VPN Support — proprietary VPN solution developed by Kerio Technologies (Kerio VPN ).

• Administration Console — the Kerio Administration Console application (universal

console for all server applications of Kerio Technologies) including Kerio Control

administration tools.

• Help files — this manual in the HTML Help format. For help files details, see Kerio

Administration Console — Help (available at http://www.kerio.com/firewall/manual).

Go to chapter 2.9 for a detailed description of all Kerio Control components.

description on the proprietary VPN solution, refer to chapter 23.

For detailed

Having completed this step, you can start the installation process. All files will be copied to the

hard disk and all the necessary system settings will be performed. The initial wizard for basic

Kerio Control configuration will be run automatically after your first login (see chapter 2.5).

Under usual circumstances, reboot of the computer is not required after the installation

(restart may be required if the installation program rewrites shared files which are currently

in use). This will install the Kerio Control Engine low-level driver into the system kernel. Kerio

Control Engine and Kerio Control Engine Monitor will be automatically launched when the

installation is complete. The engine runs as a service.

Note:

1. If you selected the Custom installation mode, the behavior of the installation program will

be as follows:

• all checked components will be installed or updated,

• all checked components will not be installed or will be removed

During an update, all components that are intended to remain must be ticked.

2. The installation program does not allow to install the Administration Console separately.

Installation of the Administration Console for the full remote administration requires

a separate installation package (file kerio-control-admin*.exe).

Protection of the installed product

To provide the firewall with the highest security possible, it is necessary to ensure that

undesirable (unauthorized) persons has no access to the critical files of the application,

especially to configuration files. If the NTFS system is used, Kerio Control refreshes settings

related to access rights to the directory (including all subdirectories) where the firewall is

installed upon each startup. Only members of the Administrators group and local system

account (SYSTEM) are assigned the full access (read/write rights), other users are not allowed

access the directory.

16


2.4 Installation - Windows

Warning:

If the FAT32 file system is used, it is not possible to protect Kerio Control in the above way.

Thus, we strongly recommend to install Kerio Control only on NTFS disks.

Conflicting Applications and System Services

The Kerio Control installation program detects applications and system services that might

conflict with the Kerio Control Engine.

1. Windows Firewall’s system components 1 and Internet Connection Sharing.

These components provide the same low-level functions as Kerio Control. If they are

running concurrently with Kerio Control, the network communication would not be

functioning correctly and Kerio Control might be unstable. Both components are run by

the Windows Firewall / Internet Connection Sharing system service. 2 .

Warning:

To provide proper functionality of Kerio Control, it is necessary that the Internet

Connection Firewall / Internet Connection Sharing detection is stopped and

forbidden!

2. Universal Plug and Play Device Host and SSDP Discovery Service

The listed services support UPnP protocol (Universal Plug and Play) on Windows. However,

these services collide with the UPnP support in Kerio Control (refer to chapter 18.2).

The Kerio Control installation includes a dialog where it is possible to disable colliding system

services.

By default, the Kerio Control installation disables all the colliding services listed. Under usual

circumstances, it is not necessary to change these settings. Generally, the following rules are

applied:

• The Windows Firewall / Internet Connection Sharing (ICS) service should be disabled.

Otherwise, Kerio Control will not work correctly. The option is a certain kind of

warning which informs users that the service is running and that it should be disabled.

• To enable support for the UPnP protocol in Kerio Control (see chapter 18.2), it is

necessary to disable also services UPnP Device Host and SSDP Discovery Service.

• It is not necessary to disable the services unless you need to use the UPnP in Kerio

Control.

1 In Windows XP Service Pack 1 and older versions, the integrated firewall is called Internet Connection Firewall.

2 In the older Windows versions listed above, the service is called Internet Connection Firewall / Internet Connection

Sharing.

17


Introduction

Figure 2.2

Disabling colliding system services during installation

Note:

1. Upon each startup, Kerio Control detects automatically whether the Windows Firewall /

Internet Connection Sharing is running. If it is, WinRoute stops it and makes a record in

the Warning log. This helps assure that the service will be enabled/started immediately

after the Kerio Control installation.

2. On Windows XP Service Pack 2, Windows Server 2003, Windows Vista, Windows Server 2008

and Windows 7, Kerio Control registers in the Security Center automatically. This implies

that the Security Center always indicates firewall status correctly and it does not display

warnings informing that the system is not protected.

2.5 Initial configuration wizard (Windows)

Using this wizard you can define all basic Kerio Control parameters. It is started automatically

by the installation program for Windows.

Setting of administration username and password

Definition of the administration password is essential for the security of the firewall. Do not

use the standard (blank) password, otherwise unauthorized users may be able to access the

Kerio Control configuration.

18


2.5 Initial configuration wizard (Windows)

Figure 2.3

Initial configuration — Setting of administration username and password

Password and its confirmation must be entered in the dialog for account settings. Name Admin

can be changed in the Username edit box.

Note: If the installation is running as an upgrade, this step is skipped since the administrator

account already exists.

Remote Access

Immediately after the first Kerio Control Engine startup all network traffic will be blocked

(desirable traffic must be permitted by traffic rules — see chapter 7). If Kerio Control is

installed remotely (i.e. using terminal access), communication with the remote client will be

also interrupted immediately (Kerio Control must be configured locally).

Within Step 2 of the configuration wizard, specify the IP address of the host from which the

firewall will be controlled remotely to enable remote installation and administration (provided

that the Kerio Control Engine is started). Thus Kerio Control will enable all traffic between the

firewall and the remote host.

Note: Skip this step if you install Kerio Control locally. Allowing full access from a point might

endanger security.

Enable remote access

This option enables full access to the Kerio Control computer from a selected IP address

Remote IP address

IP address of the computer from where you will be connecting (e.g. terminal services

client). This field must contain an IP address. A domain name is not allowed.

19


Introduction

Figure 2.4

Initial configuration — Allowing remote administration

Warning:

The remote access rule is disabled automatically when Kerio Control is configured using the

network policy wizard (see chapter 7.1).

2.6 Upgrade and Uninstallation - Windows

Upgrade

Simply run the installation of a new version to upgrade WinRoute (i.e. to get a new release

from the Kerio Web pages — http://www.kerio.com/).

All windows of the Kerio Administration Console must be closed before the (un)installation is

started. Components Kerio Control Engine and Kerio Control Engine Monitor will be stopped

and closed automatically by the installation program.

The installation program detects the directory with the former version and updates it by

replacing appropriate files with the new ones automatically. License, all logs and user defined

settings are kept safely.

Note: This procedure applies to upgrades between versions of the same series (e.g. from 7.0.0

to 7.0.1) or from a version of the previous series to a version of the subsequent series (e.g.

from Kerio WinRoute Firewall 6.7.1 to Kerio Control 7.0.0). For case of upgrades from an older

series version (e.g. 6.6.1), full compatibility of the configuration cannot be guaranteed and it

is recommended to upgrade “step by step” (e.g. 6.6.1 → 6.7.1 → 7.0.0) or to uninstall the old

version along with all files and then install the new version “from scratch”.

20


2.6 Upgrade and Uninstallation - Windows

Warning:

Since 6.x, some configuration parameters have been changed in version for 7.0.0. Although

updates are still performed automatically and seamlessly, it is necessary to mind the

changes described above that take effect immediately upon installation of the new version.

The following parameters are affected:

• HTTP cache directory — newly, the firewall installation directory’s cache subfolder

is always used, typically

C:\Program Files\Kerio\WinRoute Firewall\cache.

In case that the HTTP cache is located in a different directory, it can be moved

(provided that the Kerio Control Engine service is not running). However, such

measure can be rather disserviceable as the product update actually empties the

cache which may often increase its effectivity.

For details on HTTP cache, see chapter 9.5.

• Supportive scripts for dial-up control — these scripts must always be saved in the

firewall installation directory’s scripts subfolder, typically

C:\Program Files\Kerio\WinRoute Firewall\scripts

and they all need fixed names.

If these scripts were used int he previous version of the product, it is necessary to

move them to the directory with correct names used.

For details on dial-up configuration, see chapter 6.2.

• Log file names — fixed log file names are set now (alert.log, config.log,

debug.log, etc.).

The same path used for saving log files is kept — logs are save under the logs

subdirectory under the firewall installation directory, typically

C:\Program Files\Kerio\WinRoute Firewall\logs

If log file names has been changed, the original files are kept and new logs are

recorded in files with corresponding names.

• Log type (Facility) and its Severity for external logging on the Syslog server — fixed

facility and severity values of individual logs of Kerio Control are now set. This is

a fact to bear in mind while viewing firewall logs on the Syslog server.

For details on log settings, see chapter 22.1.

After update, it is recommended to check Warning log carefully (see chapter 22.13).

Update Checker

Kerio Control enables automatic checks for new versions of the product at the Kerio Technologies

website. Whenever a new version is detected, its download and installation will be offered

automatically.

21


Introduction

For details, refer to chapter 17.3.

Uninstallation

Before uninstalling the product, it is recommended to close all Kerio Control components. The

Add/Remove Programs option in the Control Panel launches the uninstallation process. All

files under the Kerio Control directory can be optionally deleted.

(the typical path is C:\Program Files\Kerio\WinRoute Firewall)

— configuration files, SSL certificates, license key, logs, etc.

Figure 2.5

Uninstallation — asking user whether files created in Kerio Control should be deleted

Keeping these files may be helpful for copying of the configuration to another host or if it is

not sure whether the SSL certificates were issued by a trustworthy certification authority.

During uninstallation, the Kerio Control installation program automatically refreshes the

original status of the Windows Firewall / Internet Connection Sharing, Universal Plug and Play

Device Host) and SSDP Discovery Service system services.

2.7 Installation - Software Appliance and VMware Virtual Appliance

Kerio Control in the software appliance edition is distributed:

• as an ISO of the installation CD which is used to install the system and then install the

firewall either on a physical or virtual computer (Software Appliance),

• as a virtual appliance for VMware (VMware Virtual Appliance).

Standalone Kerio Control installation package for installation on previously installed Linux is

not available.

22


2.7 Installation - Software Appliance and VMware Virtual Appliance

Software Appliance / VMware Virtual Appliance installation process consists of the following

simple steps:

Start of the installation

Software Appliance

ISO image of the installation CD can be burned on a physical CD and then the CD can

be used for installation of the system on the target computer (either physical or virtual).

In case of virtual computers, the ISO image can be also connected as a virtual CD ROM,

without the need to burn the installation ISO file on a CD.

Note: Kerio Control Software Appliance cannot be installed on a computer with another

operating system. Existing operating system on the target disk will be removed within

the installation.

VMware Virtual Appliance

Supported VMware hypervisor versions:

• Workstation 6.5 and 7.0

• Server 2.0

• Fusion 2.0 and 3.0

• Player 2.5 and 3.0

• ESX 3.5 and 4.0

• ESXi 3.5 and 4.0

Use an installation package in accordance with the type of your VMware product (see

above):

• In case of products VMware Server, Workstation and Fusion, download the

compressed VMX distribution file (*.zip), unpack it and open it in the your

VMware product.

• You can import a virtual appliance directly to VMware ESX/ESXi from the URL of

the OVF file — for example:

http://download.kerio.com/dwn/control/

kerio-control-appliance-7.0.0-1234-linux.ovf

VMware ESX/ESXi automatically downloads the OVF configuration file and

a corresponding disk image (.vmdk).

If you import virtual appliance in the OVF format, bear in mind the following specifics:

• In the imported virtual appliance, time synchronization between the host and

the virtual appliance is disabled. However, Kerio Control features a proprietary

mechanism for synchronization of time with public Internet time servers.

Therefore, it is not necessary to enable synchronization with the host.

• Tasks for shutdown or restart of the virtual machine will be set to default values

after the import. These values can be set to “hard” shutdown or “hard” reset.

However, this may cause loss of data on the virtual appliance. Kerio Control

VMware Virtual Appliance supports so called Soft Power Operations which

23


Introduction

allow to shutdown or restart hosted operating system properly. Therefore, it is

recommended to set shutdown or restart of the hosted operating system as the

value.

The following steps are identical both for Software Appliance and Virtual Appliance.

Language selection

The selected language will be used both for Kerio Control installation and for the firewall’s

console (see chapter 2.11).

Selection of target hard disk

If the installation program detects more hard disks in the computer, then it is necessary to

select a disk for Kerio Control installation. Content of the selected disk will be completely

removed before Kerio Control installation, while other disk are not affected by the installation.

If there is an only hard disk detected on the computer, the installer continues with the

following step automatically. If no hard disk is found, the installation is closed. Such error is

often caused by an unsupported hard disk type or hardware defect.

Selection of network interface for the local network and access to administration

The installer lists all detected network interfaces of the firewall. Select an interface which is

connected to the local (trustworthy) network which the firewall will be remotely administered

from.

In the field, a computer may have multiple interfaces of the same type and it is therefore not

easy to recognize which interface is connected to the local network and which to the Internet.

To a certain extent, hardware addresses of the adapters can be a clue or you can experiment

— select an interface, complete the installation and try to connect to the administration. If the

connection fails, use option Network Configuration in the main menu of the firewall’s console

to change the settings (see chapter 2.11).

There can also arise another issue — that the program does not detect some or any network

adapters. In such case, it is recommended to use another type of the physical or virtual (if the

virtual computer allows this) adapter or install Kerio Control Software Appliance on another

type of virtual machine. If such issue arises, it is highly recommended to consult the problem

with the Kerio Technologies technical support (see chapter 26).

Provided that no network adapter can be detected, it is not possible to continue installing

Kerio Control.

24


2.7 Installation - Software Appliance and VMware Virtual Appliance

Setting of the local interface’s IP address

It is now necessary to define IP address and subnet mask for the selected local network

interface. These parameters can be defined automatically by using information from a DHCP

server or manually.

For the following reasons, it is recommended to set local interface parameters manually:

• Automatically assigned IP address can change which may cause problems with

connection to the firewall administration (although the IP address can be reserved

on the DHCP server, this may bring other problems).

• In most cases Kerio Control will be probably used itself as a DHCP server for local

hosts (workstations).

Admin password

The installation requires specification of the password for the account Admin (the account of

the main administrator of the firewall). Username Admin with this password are then used for

access:

• to the firewall’s console (see chapter 2.11),

• to the remote administration of the firewall via the web administration interface (see

chapter 3),

• to the remote administration of the firewall via the Kerio Administration Console (see

chapter 3).

Remember this password or save it in a secured location and keep it from anyone else!

Time zone, date and time settings

Many Kerio Control features (user authentication, logs, statistics, etc.) require correct setting

of date, time and time zone on the firewall. Select your time zone and in the next page check

(and change, if necessary) date and time settings.

Completing the installation

Once all these parameters are set, the Kerio Control Engine service (daemon) is started.

While the firewall is running, the firewall’s console will display information about

remote administration options and change of some basic configuration parameters — see

chapter 2.11.

25


Introduction

2.8 Upgrade - Software Appliance / VMware Virtual Appliance

Kerio Control can be upgraded by the following two methods:

• by starting the system from the installation CD (or a mounted ISO) of the new version.

The installation process is identical with the process of a new installation with an the

only exception that at the start the installer asks you whether to execute an upgrade

(any existing data will be kept) or a new installation (all configuration files, statistics,

logs, etc will be removed). For details, see chapter 2.7.

• by the Kerio Administration Console update checker. For details, refer to chapter 17.3

Warning:

Since 6.7.1, some configuration parameters have been changed for version 7.0.0. Although

updates are still performed automatically and seamlessly, it is necessary to mind the

changes described above that take effect immediately upon installation of the new version.

The following parameters are affected:

• Log file names — fixed log file names are set now (alert.log, config.log,

debug.log, etc.).

The path for saving the log files is kept unchanged — logs are saved under

/opt/kerio/winroute/logs

If log file names has been changed, the original files are kept and new logs are

recorded in files with corresponding names.

• Log type (Facility) and its Severity for external logging on the Syslog server — fixed

facility and severity values of individual logs of Kerio Control are now set. This is

a fact to bear in mind while viewing firewall logs on the Syslog server.

For details on log settings, see chapter 22.1.

After update, it is recommended to check Warning log carefully (see chapter 22.13).

2.9 Kerio Control components

Kerio Control consists of these components:

Kerio Control Engine

The core of the program that executes all services and functions. It is running as a service

in the operating system (the service is called Kerio Control and it is run automatically

within the system account by default).

Kerio Control Engine Monitor (Windows only)

Allows viewing and modification of the Engine’s status (stopped / running) and setting

of start-up preferences (i.e. whether Engine and Monitor should be run automatically at

system start-up). It also provides easy access to the Administration Console. For details,

refer to chapter 2.10.

26


2.10 Kerio Control Engine Monitor (Windows)

Note: Kerio Control Engine is independent from the Kerio Control Engine Monitor. The

Engine can be running even if there is no icon in the system tray.

Kerio Administration Console (Windows only)

It is a versatile console for full local or remote administration of Kerio Technologies

server products. For successful connection to an application you need a plug-in with

an appropriate interface.

Kerio Administration Console is installed on Windows hand-in-hand with the appropriate

module during the installation of Kerio Control. The separate installation package Kerio

Administration Console for Kerio Control is available for remote administration from

another host. The Kerio Administration Console is available for Windows only, but it can

be used for administration of both Kerio Control installed on Windows and Kerio Control

Software Appliance / VMware Virtual Appliance.

Detailed guidance for Kerio Administration Console is provided in Kerio Administration

Console — Help (http://www.kerio.com/firewall/manual).

The firewall’s console (Software Appliance / VMware Virtual Appliance only)

The firewall’s console is a simple interface permanently running on the Kerio Control

host. It allows to set basic parameters of the operating system and the firewall for cases

when it is not possible to administer it remotely via the Administration web interface or

the Kerio Administration Console.

2.10 Kerio Control Engine Monitor (Windows)

Kerio Control Engine Monitor is a standalone utility used to control and monitor the Kerio

Control Engine status. The icon of this component is displayed on the toolbar.

Figure 2.6

Kerio Control Engine Monitor icon in the Notification Area

If Kerio Control Engine is stopped, a white crossed red spot appears on the icon. Starting or

stopping the service can take several seconds. For this time the icon gets grey and is inactive.

On Windows, left double-clicking on this icon runs the Kerio Administration Console (described

later). Use the right mouse button to open the following menu:

Start-up Preferences

With these options Kerio Control Engine and/or Engine Monitor applications can be set

to be launched automatically when the operating system is started. Both options are

enabled by default.

Administration

Runs Kerio Administration Console (equal to double-clicking on the Engine Monitor icon).

27


Introduction

Figure 2.7

Kerio Control Engine Monitor menu

Internet Usage Statistics

Opens Internet Usage Statistics in the default browser. For details, see chapter 21.

Start/Stop Kerio Control

Switches between the Start and Stop modes. The text displays the current mode status.

Exit Engine Monitor

An option to exit Engine Monitor. This option does not stop the Kerio Control Engine. The

user is informed about this fact by a warning window.

Note:

1. If a limited version of Kerio Control is used (e.g. trial version), a notification is displayed

7 days before its expiration. This information is displayed until the expiration.

2. Kerio Control Engine Monitor is available in English only.

2.11 The firewall’s console (Software Appliance / VMware Virtual Appliance)

On the console of the computer where Kerio Control Software Appliance / VMware Virtual Appliance

is running, information about the firewall remote administration options is displayed.

Upon authenticating by the administration password (see above), this console allows to change

some basic settings, restore default settings after installation and shut down or restart the

computer.

By default, the console shows only information about URL or IP address which can be used

for firewall administration via the firewall’s web administration interface or the Kerio Administration

Console. To access configuration options, authentication with the Admin password is

required (Admin is the main firewall administrator’s account). If idle for some time, the user

gets logged out automatically and the welcome page of the console showing details on the

firewall’s remote administration is displayed again.

The firewall’s console provides the following configuration options:

Network interface configurations

This option allows to show or/and edit parameters of individual network interfaces of the

firewall. Each interface allows definition of automatic configuration via DHCP or manual

configuration of IP address, subnet mask and default gateway.

28


2.11 The firewall’s console (Software Appliance / VMware Virtual Appliance)

Note: No default gateway should be set on interfaces connected to the local network,

otherwise this firewall cannot be used as agateway for the Internet access.

Remote administration policy settings

When you change the firewall’s traffic policy (see chapter 7) via the web administration

interface or the Kerio Administration Console, you may happen to block access to the

remote administration accidentally.

If you are sure that the firewall’s network interfaces are configured correctly and despite

of that it is not possible to access the remote administration, you can use the Remote

Administration option to change the traffic policy so that the rules do not block remote

administration on any interface.

Upon saving changes in traffic rules, the Kerio Control Engine service will be restarted

automatically.

I the field, unblocking of the remote administration means that a rule will be added to the

top of the traffic policy table that would allow access Control Admin (connection with the

Kerio Administration Console), Kerio Control WebAdmin and Kerio Control WebAdmin-SSL

(secured web interface of the firewall) services from any computer.

Shutting down / restarting the firewall

If you need to shut your computer down or reboot it, these options provide secure closure

of the Kerio Control Engine and shutdown of the firewall’s operating system.

Restoring default configuration

This option restores the default firewall settings as installed from the installation CD

or upon the first startup of the VMware virtual host. All configuration files and data

(logs, statistics, etc.) will be removed and it will then be necessary to execute the initial

configuration of the firewall again as if a new installation (see chapter 2.7).

Restoring the default configuration can be helpful if the firewall’s configuration is

accidentally damaged that much that it cannot be corrected by any other means.

29


Chapter 3

Kerio Control administration

For Kerio Control configuration, two tools are available:

Kerio Control Administration web interface

The Administration interface allows both remote and local administration of the firewall

via a common web browser. In the current version of Kerio Control, the Administration

interface allows configuration of the most of basic options and parameters of the firewall:

• network adapters,

• traffic rules — manual configuration only; the Traffic Policy Wizard (see

chapter 7.1) is not available,

• intrusion prevention system,

• MAC address filtering,

• additional security options (Anti-Spoofing, connections count limits, UPnP

support)

• DHCP server (including automatic configuration),

• HTTP and FTP filtering rules,

• user accounts, groups, user authentication and domain mapping,

• IP groups, URL groups, time ranges and network services,

• logs.

On the other hand, some of the recently added features are available only in the web

interface:

• exporting and importing configuration,

• automatic configuration of IP scopes on the DHCP server.

Kerio Administration Console

Kerio Administration Console (referred to as the Administration Console in this document)

is an application used for administration of all Kerio Technologies’ server products. All

Kerio Control parameters can be configured here.

Using this program you can access the firewall either locally (from the Kerio Control

host) or remotely (from another host). Traffic between Administration Console and Kerio

Control Engine is encrypted. This protects you from tapping and misuse.

Kerio Administration Console is installed on Windows hand-in-hand with it during the

installation of Kerio Control.

The separate installation package Kerio Administration Console for Kerio Control is

available for remote administration from another host. The Kerio Administration Console

is available for Windows only, but it can be used for administration of both Kerio Control

installed on Windows and Kerio Control Software Appliance / VMware Virtual Appliance.

30


3.1 Kerio Control Administration web interface

Detailed guidelines for the Administration Console are provided under Kerio Administration

Console — Help (to view these guidelines, use option Help → Contents

in the main Administration Console window, or you can download it from

http://www.kerio.com/firewall/manual).

The following chapters of this manual describe individual sections of the Administration Console

and the web administration interface.

Note:

1. The Administration web interface and the Administration Console for Kerio Control are

available in 16 localization versions. The Administration interface allows language

selection by simple switching of the flag located in the top right corner of the window

or by following the browser language preferences. The Administration Console allows

language settings in the Tools menu of the login dialog box.

2. Upon the first login to the Administration Console after a successful Kerio Control

installation, the traffic rules wizard is run so that the initial Kerio Control configuration

can be performed. For a detailed description on this wizard, please refer to chapter 7.17.1.

The wizard is not available in the current version of the Administration interface.

Therefore it is recommended to use the Administration Console for the initial configuration

of Kerio Control (immediately upon the installation).

3.1 Kerio Control Administration web interface

The Kerio Control Administration interface is available at https://server:4081/admin

(server stands for the firewall name or IP address and 4081 for the port of its web interface).

HTTPS traffic between the client and the Kerio Control Engine is encrypted. This protects the

communication from tapping and misuse. It is recommended to use the unsecured version

of the Administration (the HTTP protocol on port 4080) only for local administration of Kerio

Control (i.e. administration from the computer where it is installed).

Upon a successful logon to the Administration web interface, the main window consisting of

two sections is displayed:

• The left column contains the tree view of sections. For better transparency it is

possible to hide or show individual parts of the tree (upon logon, the full tree is

shown).

• The right column lists contents of the section previously selected in the left column.

In most cases, configuration changes in individual sections are performed only at the client’s

side (i.e. in the web browser) and get applied on the configuration file upon clicking on the

Apply button. Therefore, it is possible to use the Cancel button to recover the former settings.

31


Kerio Control administration

Figure 3.1

Main window of the Kerio Control Administration interface

3.2 Administration Console - the main window

After the user has been successfully logged in to the Kerio Control Engine by the Kerio Administration

Console, the main window of the Kerio Control administration plugin is displayed

(further called the “administration window”). This window is divided into two parts:

• The left column contains the tree view of sections. The individual sections of the

tree can be expanded and collapsed for easier navigation. Administration Console

remembers the current tree settings and uses them upon the next login.

• In the right part of the window, the contents of the section selected in the left column

is displayed (or a list of sections in the selected group).

In most cases, configuration changes in individual sections are performed only at the client’s

side and get applied on the configuration file upon clicking on the Apply button. Therefore, it

is possible to use the Cancel button to recover the former settings.

32


3.2 Administration Console - the main window

Figure 3.2

The main window of Administration Console for Kerio Control

Administration Window — Main menu

The main menu provides the following options:

File

• Reconnect — using this option, the connection to the Kerio Control Engine after

a connection drop-out (e.g. after the Engine restart or network failure) can be

restored.

• New connection — opens the main window of the Administration Console. Use

a bookmark or the login dialog to connect to a server.

This option can be useful when the console will be used for administration of

multiple server applications (e.g. Kerio Control at multiple servers). For details,

refer to the Help section in the Administration Console manual.

Note: The New Connection option opens the same dialog as running the Administration

Console from the Start menu.

• Quit — this option terminates the session (users are logged out of the server and

the administration window is closed). The same effect can be obtained by clicking

the little cross in the upper right corner of the window or pressing Alt+F4 or

Ctrl+Q.

The Edit menu (on the welcome page only)

Options under Edit are related to product registration and licensing. The options available

in the menu depend on the registration status (for example, if the product is registered

as a trial version, it is possible to use options of registration of a purchased license or

a change of registration data).

33


Kerio Control administration

• Copy license number to clipboard — copies the license number (the ID licence

item) to the clipboard. This may be helpful e.g. when ordering an upgrade or

subscription, where the number of the base license is required, or when sending

an issue to the Kerio Technologies technical support.

• Register trial version — registration of the product’s trial version.

• Register product — registration of a product with a purchased license number.

• Install license — use this option to import your license key file (for details, see

chapter 4.5).

Help menu

• Show Server’s Identity — this option provides information about the firewall

which the Administration Console is currently connected to (name or IP address

of the server, port and SSL-certificate fingerprint). This information can be used

for authentication of the firewall when connecting to the administration from

another host (see Kerio Administration Console — Help).

• Administrator’s guide — this option displays the administrator’s guide in HTML

Help format. For details about help files, see Kerio Administration Console — Help

manual.

• About — this option provides information about the version of the Kerio Control

and a link to the Kerio Technologies website.

Status bar

The status bar at the bottom of the administration window displays the following information

(from left to right):

Figure 3.3

Administration Console status bar

• The section of the administration window currently selected in the left column. This

information facilitates navigation in the administration window when any part of the

section tree is not visible (e.g. when a lower screen resolution is selected).

• Name or IP address of the server and port of the server application (Kerio Control uses

port 44333).

• Name of the user logged in as administrator.

• Current state of the Administration Console: Ready (waiting for user’s response), Loading

(retrieving data from the server) or Saving (saving changes to the server).

34


3.3 Administration Console - view preferences

Detection of the Kerio Control Engine connection failure

Administration Console is able to detect the connection failure automatically. The failure is

usually detected upon an attempt to read/write the data from/to the server (i.e. when the Apply

button is pressed or when a user switches to a different section of Administration Console).

In such case, a connection failure dialog box appears where the connection can be restored.

After you remove the cause of the connection failure, the connection can be restored. Administration

Console provides the following options:

• Apply & Reconnect — connection to the server will be recovered and all changes done

in the current section of the Administration Console before the disconnection will be

saved,

• Reconnect — connection to the server will be recovered without saving any changes

performed in the particular section of the console before the disconnection.

If the reconnection attempt fails, only the error message is shown. You can then try to

reconnect using the File → Restore connection option from the main menu, or close the window

and restore the connection using the standard procedure.

Note: After a connection failure, the Administration interface is redirected and opened at the

login page automatically. Any unsaved changes will get lost.

3.3 Administration Console - view preferences

Many sections of the Administration Console are in table form where each line represents

one record (e.g. detailed information about user, information about interface, etc.) and the

columns consist of individual entries for these records (e.g. name of server, MAC address, IP

address, etc.).

The firewall administrators can define — according to their liking — the way how the

information in individual sections will be displayed. When you right-click each of the above

sections, a pop-up menu with Modify columns option is displayed. This entry opens a dialog

window where users can select which columns will be displayed/hidden.

This dialog offers a list of all columns available for a corresponding view. Use checking boxes

on the left to enable/disable displaying of a corresponding column. You can also click the

Show all button to display all columns. Clicking on the Default button will restore default

settings (for better reference, only columns providing the most important information are

displayed by default).

The arrow buttons move the selected column up and down within the list. This allows the

administrator to define the order the columns will be displayed.

The order of the columns can also be adjusted in the window view. Left-click on the column

name, hold down the mouse button and move the column to the desired location.

35


Kerio Control administration

Figure 3.4

Column customization in Interfaces

Note:

Move the dividing lines between the column headers to modify the width of the

individual columns.

36


Chapter 4

License and Registration

A valid license is required for usage of Kerio Control after 30-day trial period. Technically, the

product works as this:

• Immediately upon installation, the product works as a 30-day trial version. All features

and options of the product are available except the Kerio Web Filter module and update

of intrusion prevention system rules.

• Trial version can be registered for free. Registered trial version users can use technical

support for the product during the trial period. Registered users can also test the

Kerio Web Filter module and their intrusion prevention system rules are updated

automatically. Registration does not prolong the trial period.

• Upon purchase of a license, it is necessary to register the product using the

corresponding license key. Upon a successful registration, the product will be fully

available according to the particular license policy (for details, see chapter 4.1).

There is actually no difference between the trial and full version of Kerio Control except being

or not being registered with a valid license. This gives each customer an opportunity to install

and test the product in a particular environment during the trial period. Then, once the

product is purchased, the customer can simply register the installed version by the purchased

license number (see chapter 4.4). This means that it is not necessary to uninstall the trial

version and reinstall the product.

If the 30-day trial has already expired, Kerio Control stops working — the Kerio Control

Engine system service gets stopped automatically. Upon registration with a valid license

number (received as a response to purchase of the product), Kerio Control is available with

full functionality.

Note: Registration of Kerio Control generates a so called license key (the license.key file

— see chapter 25.1). If your license key gets lost for any reason (e.g. after the hard drive

breakdown or by an accidental removal, etc.), you can simply use the basic product’s purchase

number to recover the license. The same method can be used also for change of the firewall’s

operating system (Windows / Software Appliance / VMware Virtual Appliance) — the license

keys cannot be used across different operating systems. If the license number gets lost,

contact the Kerio Technologies sales department.

37


License and Registration

4.1 License types (optional components)

Kerio Control can optionally include the following components: Sophos antivirus (refer to

chapter 14) or/and the Kerio Web Filter module for web pages rating (see chapter 13.3). These

components are licensed individually.

License keys consist of the following information:

Kerio Control license

Kerio Control basic license Its validity is defined by the two following factors:

• Update right expiration date — specifies the date by which Kerio Control can

be updated for free. When this date expires, Kerio Control keeps functioning,

however, it cannot be updated. The time for updates can be extended by

purchasing a subscription.

• Product expiration — by this date Kerio Control stops working — the Kerio Control

Engine service gets stopped automatically.

In this case, you need to register a valid license immediately or uninstall Kerio

Control. It is possible to run Kerio Control for purpose of registering. However,

if a valid license is not installed in 10 minutes, the service is stopped again.

Sophos antivirus license

This license is defined by the two following dates:

• update right expiration date (independent of Kerio Control) — when this date

expires, the antivirus keeps functioning, however, neither its virus database nor

the antivirus can be updated yet.

• plug-in expiration date— specifies the date by which the Sophos antivirus stops

functioning and cannot be used anymore.

Warning:

Owing to persistent incidence of new virus infections we recommend you to use

always the most recent antivirus versions.

Kerio Web Filter subscriptions

Kerio Web Filter module is provided as a service. License is defined only by an expiration

date which specifies when this module will be blocked.

Note: Refer to the Kerio Technologies website (http://www.kerio.com/) to get up-to-date

information about individual licenses, subscription extensions, etc.

4.2 Deciding on a number of users (licenses)

Kerio Control 7 introduces a new system of Internet access monitoring, better corresponding

to the product’s licensing and usage policy. Kerio Technologies licenses this software as

a server with the Admin account and 5 user accounts in the basic license. Users can be added

in packages of five users.

38


4.3 License information

User is defined as a person who is permitted to connect to Kerio Control and its services. Each

user can connect from up to five different devices represented by IP addresses, including VPN

clients.

If any user tries to connect from more than five devices at a time, another user license is used

for this purpose. Although the product formerly did not limit number of connected users, it

used to consider each IP address connected to the server as one user which might have caused

situations where one user used up available licenses even by connecting from two device at

a time.

Warning:

Kerio Control does not limit number of defined user accounts (see chapter 16). However, if

the maximal number of currently authenticated users is reached, no other user can connect.

4.3 License information

The license information can be displayed by selecting Kerio Control (the first item in the

tree in the left part of the Administration Console dialog window — this section is displayed

automatically whenever the Kerio Control administration is entered).

Figure 4.1

Administration Console welcome page providing license information

39


License and Registration

Product

Product name (Kerio Control).

Copyright

Copyright information.

Homepage

Link to the Kerio Control homepage (information on pricing, new versions, etc.). Click on

the link to open the homepage in your default browser.

Operational system

Name of the operating system on which the Kerio Control Engine service is running.

This is an informative item only — the purchased license can be used for any supported

operating system.

License ID

License number or a special license name.

Subscription expiration date

Date until when the product can be upgraded for free.

Product expiration date

Date when the product expires and stops functioning (only for trial versions or special

license types).

Number of users

Maximal number of users authenticated at the firewall at a time (for details, see

chapter 4.2).

Company

Name of the company (or a person) to which the product is registered.

Depending on the current license, links are displayed at the bottom of the image:

1. For unregistered versions:

• Become a registered trial user — registration of the trial version. This type of

registration is tentative and it is not obligatory. The registration provides users

free technical support for the entire trial period.

• Register product with a purchased license number — registration of a purchased

product.

Once purchased, the product must be registered. Otherwise, it will keep behaving

as a trial version!

2. For registered versions:

• Update registration info — this link can be used to update information about the

person/company to which the product is registered and/or to add subscription

license numbers or add-on licenses (add users).

40


4.4 Registration of the product in the Administration Console

In any case, the registration wizard will be started where basic data are required and additional

data can also be defined. For detailed information on the wizard, refer to chapter 4.4.

If the update checker is enabled (refer to chapter 17.3), the A new version is available, click

here for details... notice is displayed whenever a new version is available. Click on the link to

open the dialog where the new version can be downloaded and the installation can be started

(for details, see chapter 17.3).

Note: Right-clicking in the main page of the Administration Console opens a context pop-up

menu with the same options as are provided in the Edit menu in the main toolbar of the

administration window (see chapter 3.2).

4.4 Registration of the product in the Administration Console

Kerio Control registration, change of registration details, adding of add-on licenses and

subscription updates can be done in the Administration Console by clicking on a corresponding

Opinion: Sql error 26 kerio

Sql error 26 kerio
Cant install driver error 1275
Sql error 26 kerio
sql error 26 kerio

0 Comments

Leave a Comment