Quick start with Kerio Control
Article Number: 1558 | Last Updated: Tue, Aug 23, 2016 4:30 PM
Kerio Control is a unified threat management firewall that features intrusion prevention, content filtering, activity reporting, bandwidth management, and virtual private networking. This guide provides general step-by-step instructions for deploying Kerio Control in a common scenario.
In this example:
Selecting a deployment type
Kerio Control is available as a Software, Virtual, or Hardware appliance (Hardware editions are available in North America, Australia, and the EU). The product features and functionality are nearly identical across all versions.
Hardware Appliance NG300
Installing and upgrading Kerio Control
You can download the Kerio Control image from the Kerio website. For instructions on Kerio Control installation, see Installing Kerio Control. If you are installing the Virtual or Software Appliance editions, make sure your hardware meets the system requirements.
After installation, the software automatically checks for updates. The web administration notifies you when an update is ready. See Upgrading Kerio Control for details.
Accessing Kerio Control
After installation, Kerio Control automatically detects your Internet and local interfaces. For successful detection of the network interfaces, connect Kerio Control to the appropriate networking equipment (e.g., modem, switch, access point and so on) prior to installation.
You can access the full administration from a web browser by inputting the IP address of the firewall. Note that your management computer must be in the same IP subnet as the firewall.
The Virtual and Software Appliance editions include a separate administration interface that the administrator can access directly from the operating system. This dialog box includes only essential features and is primarily useful when you are not able to access the web administration. Capabilities of this interface include:
Activating Kerio Control
When the administrator first logs in to the web administration interface, the Activation Wizard opens. The wizard sets the basic system parameters:
Defining network interfaces and connectivity
Network interfaces in Kerio Control provide routing between local networks and the Internet. You must configure networking parameters and define your Internet connectivity before any other types of firewall configuration. The administrator can manage network interfaces and Internet connectivity in Configuration → Interfaces. Capabilities include:
See Configuring network interfaces for details.
In the example scenario, Kerio Control load balances between two Internet links and routes to four local networks.
Assigning parameters to local networks
Kerio Control can simplify managing the network by acting as a Dynamic Host Configuration Protocol (DHCP) server. DHCP automatically assigns networking parameters to connected devices. The administrator can manage the DHCP server in Configuration → DHCP Server. See Using the DHCP module for details.
In the example scenario, the DHCP server in Kerio Control automatically assigns IP configuration to all networks.
Connecting to a directory service
Kerio Control can simplify user administration by authenticating users from Apple Open Directory or Microsoft Active Directory. The administrator can manage directory services in Configuration → Domains and User Login. See Connecting Kerio Control to directory services for details.
In the example scenario, users authenticate against a local domain controller.
Enforcing security and access policies
Kerio Control enforces security through Intrusion Prevention, Traffic Rules, and Sophos Antivirus. These features configure automatically, and ensure that the firewall permits only legitimate network communication.
For additional security, the administrator can configure Traffic Rules and Content Rules. Content Rules define the types of permitted or denied web activities of users on the network. Examples include:
In the example scenario, users authenticate via RADIUS for web access and Kerio Control forbids peer-to-peer networking.
Traffic Rules define the types of permitted or denied network communication. By default the firewall creates a basic policy that permits all outgoing types of traffic. Examples of Traffic Rules include:
In the example scenario, the firewall routes incoming traffic to servers located on the DMZ network. The administrator creates port mapping rules to allow incoming connections. See Configuring traffic rules - multihoming and Configuring Demilitarized Zone (DMZ) for details.
Enabling remote access
You can use Virtual Private Networking (VPN) to allow remote users or entire networks to access services inside the local network. Kerio Control implements IPsec for mobile device access and tunneling with third-party VPN gateways. You can also use the proprietary Kerio VPN implementation for remote access from desktop operating systems, and for tunneling to other Kerio Control firewalls. You can manage settings for VPN in the VPN server interface of the Interfaces dialog box.
In the example scenario, Kerio Control maintains a VPN tunnel with a remote office, and users connect remotely using VPN from computers and mobile devices.
Kerio Control includes several features to help you monitor network activity and optimize Internet availability.
Status → Active Hosts displays real-time activities of all hosts on the network. You can see which devices consume the most bandwidth, when the network is most active, and what types of activities are taking place. Refer to Monitoring active hosts for details.
Status → Traffic Charts displays throughput totals for a variety of items, including network interfaces, traffic rules, or bandwidth rules. This information helps you identify how data flows through your network.
Configuration → Interfaces → Internet Connectivity allows you to distribute network traffic between multiple Internet links. You can further adjust the routing of outgoing connections using Traffic Rules. See Configuring policy routing for details.
Configuration → Bandwidth Management and QoS allows you to prioritize traffic based on a variety conditions. See Configuring bandwidth management.
In the example scenario, Kerio Control reserves 1 Mbps for VoIP traffic and restricts guest access to a maximum of 1 Mbps.
Creating and viewing reports
Kerio Control includes a reporting feature called Kerio Control Statistics. Kerio Control Statistics records the activities of authenticated users to a local database on the firewall. Privileged users can access statistics information on demand through a special web interface, or by email. See Configuring statistics and reports for details.
In the example scenario, the company president receives a weekly report of all user activity.
Configuring automated backup
You can backup the Kerio Control configuration for restoring to another system in case of hardware failure or other types of disasters. You can backup the configuration manually from the Configuration Assistant, or automatically to MyKerio. In the example scenario, Kerio Control automatically saves its configuration to MyKerio every day. See Saving configuration to MyKerio for details.